From ccfe5ee1305ee7383d1033c1620b0af44be2816d Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Thu, 23 Jan 2020 11:14:20 +0100 Subject: [PATCH] removing and fixing deadlinks in the best possible way Hi! While migrating Malpedia to our new reference data format, we noticed a few potentially dead/moved references in your cluster. This pull request should fix most of them, for some I was not able to find an appropriate replacement. --- clusters/threat-actor.json | 60 ++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 35 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fdca75f..0f354e6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -216,7 +216,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf" ] }, "uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd", @@ -506,7 +506,7 @@ "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf", "https://www.cfr.org/interactive/cyber-operations/apt-17", - "https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/", + "https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/", "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire", "https://www.recordedfuture.com/hidden-lynx-analysis/" @@ -659,7 +659,7 @@ "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://www.cfr.org/interactive/cyber-operations/axiom", "https://securelist.com/games-are-over/70991/", - "https://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html", + "https://vsec.com.vn/en/blogen/initial-winnti-analysis-against-vietnam-game-company.html", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", @@ -834,7 +834,7 @@ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/", "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/", - "https://threatconnect.com/tag/naikon/", + "https://threatconnect.com/blog/tag/naikon/", "https://attack.mitre.org/groups/G0019/" ], "synonyms": [ @@ -2070,7 +2070,7 @@ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "http://www.clearskysec.com/thamar-reservoir/", - "https://citizenlab.org/2015/08/iran_two_factor_phishing/", + "https://citizenlab.ca/2015/08/iran_two_factor_phishing/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", @@ -2380,10 +2380,9 @@ "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", - "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT", + "https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny", "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", @@ -2647,7 +2646,6 @@ "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", "https://www.cfr.org/interactive/cyber-operations/crouching-yeti", - "https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_i=39574", "https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA", "https://dragos.com/wp-content/uploads/CrashOverride-01.pdf", "https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html", @@ -2811,10 +2809,9 @@ "motive": "Cybercrime", "refs": [ "https://en.wikipedia.org/wiki/Carbanak", - "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/", @@ -3181,7 +3178,7 @@ "attribution-confidence": "50", "country": "TN", "refs": [ - "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" + "https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" ], "synonyms": [ "TunisianCyberArmy" @@ -3270,7 +3267,6 @@ "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe", "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", - "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf", "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", "https://s.tencent.com/research/report/669.html", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" @@ -3312,7 +3308,7 @@ "cfr-type-of-incident": "Espionage", "country": "AE", "refs": [ - "https://citizenlab.org/2016/05/stealth-falcon/", + "https://citizenlab.ca/2016/05/stealth-falcon/", "https://www.cfr.org/interactive/cyber-operations/stealth-falcon", "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/", "https://attack.mitre.org/groups/G0038/" @@ -3396,7 +3392,7 @@ "country": "IN", "refs": [ "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", - "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", + "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", "https://www.cymmetria.com/patchwork-targeted-attack/", "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", @@ -3495,7 +3491,7 @@ "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://attack.mitre.org/wiki/Groups", - "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", + "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor", "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor", "https://www.cfr.org/interactive/cyber-operations/moafee", "https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", @@ -3836,7 +3832,7 @@ "https://pan-unit42.github.io/playbook_viewer/", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", - "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", + "https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf", "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json", "https://www.cfr.org/interactive/cyber-operations/oilrig", @@ -3944,7 +3940,7 @@ "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", "meta": { "refs": [ - "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf", + "https://blog.checkpoint.com/2015/03/31/volatilecedar/", "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/", "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/" ], @@ -3998,11 +3994,10 @@ "https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website", "https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html", "https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html", - "https://blog.vectra.ai/blog/moonlight-middle-east-targeted-attacks", + "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/", "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf", "https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf", "https://securelist.com/gaza-cybergang-updated-2017-activity/82765/", "https://www.kaspersky.com/blog/gaza-cybergang/26363/", "https://attack.mitre.org/groups/G0021/" @@ -4092,7 +4087,7 @@ "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", "meta": { "refs": [ - "https://citizenlab.org/2015/12/packrat-report/" + "https://citizenlab.ca/2015/12/packrat-report/" ] }, "uuid": "fe344665-d153-4d31-a32a-1509efde1ca7", @@ -4937,7 +4932,7 @@ "attribution-confidence": "50", "country": "KP", "refs": [ - "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + "https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html" ] }, "uuid": "73c636ae-e55c-4167-bf40-315789698adb", @@ -4964,7 +4959,6 @@ "country": "CN", "refs": [ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", - "https://www.threatconnect.com/china-superman-apt/", "https://www.cfr.org/interactive/cyber-operations/mofang", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], @@ -4995,7 +4989,7 @@ "country": "IR", "refs": [ "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", - "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", + "https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr", "http://www.clearskysec.com/copykitten-jpost/", "http://www.clearskysec.com/tulip/", "https://www.cfr.org/interactive/cyber-operations/copykittens", @@ -5345,7 +5339,7 @@ { "meta": { "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77", @@ -5385,7 +5379,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf", + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml", "https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ] @@ -5439,11 +5433,9 @@ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", - "https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", - "https://www.ci-project.org/blog/2017/3/4/arid-viper", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812", @@ -5514,7 +5506,7 @@ "country": "RU", "refs": [ "https://securelist.com/introducing-whitebear/81638/", - "https://www.cfr.org/interactive/cyber-operations/whitebears" + "https://www.cfr.org/interactive/cyber-operations/whitebear" ], "synonyms": [ "Skipper Turla" @@ -5539,7 +5531,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + "http://en.hackdig.com/02/39538.htm" ] }, "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994", @@ -5638,7 +5630,6 @@ "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/", - "https://www.group-ib.com/resources/reports/money-taker.html", "https://www.group-ib.com/blog/moneytaker" ] }, @@ -5650,7 +5641,7 @@ "meta": { "refs": [ "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", - "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf" ] }, "uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632", @@ -5766,7 +5757,7 @@ "refs": [ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", - "https://www.cfr.org/interactive/cyber-operations/leviathan", + "https://www.cfr.org/interactive/cyber-operations/apt-40", "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", @@ -6134,7 +6125,7 @@ "description": "ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.", "meta": { "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03095519/ZooPark_for_public_final.pdf" + "https://securelist.com/whos-who-in-the-zoo/85394/" ] }, "uuid": "4defbf2e-4f73-11e8-807f-578d61da7568", @@ -6420,7 +6411,7 @@ "refs": [ "https://www.cfr.org/interactive/cyber-operations/inception-framework", "https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit", - "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/%238", + "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf" @@ -7237,7 +7228,6 @@ "attribution-confidence": "10", "country": "IR", "refs": [ - "https://resecurity.com/blog/parliament_races/", "https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986", "https://threatpost.com/ranian-apt-6tb-data-citrix/142688/", "https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/"