From cfb807861aae843ce3bf25d2e02725f24a57b336 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Thu, 7 Mar 2019 14:34:14 +0100 Subject: [PATCH 1/7] FireEye upgraded TEMP.Periscope to APT40 --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1207015..136f219 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5078,10 +5078,14 @@ "refs": [ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", - "https://www.cfr.org/interactive/cyber-operations/leviathan" + "https://www.cfr.org/interactive/cyber-operations/leviathan", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html" ], "synonyms": [ - "TEMP.Periscope" + "TEMP.Periscope", + "TEMP.Jumper", + "APT 40", + "APT40" ] }, "related": [ From 31ba566c1827bfed057fbaea388e5e902ca81b7f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 7 Mar 2019 15:51:16 +0100 Subject: [PATCH 2/7] chg: [tool] SLUB Backdoor added --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 7fe9fe4..d98e045 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7552,7 +7552,17 @@ }, "uuid": "78ed653d-2d76-4a99-849e-1509e4573c32", "value": "BabyShark" + }, + { + "uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f", + "value": "SLUB Backdoor", + "description": "The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication).", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/" + ] + } } ], - "version": 111 + "version": 112 } From 1d8ada33a0038b18e52ead912dace9b187f64e42 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Thu, 7 Mar 2019 17:50:46 +0100 Subject: [PATCH 3/7] Update threat-actor.json another actor described by 360TIC. --- clusters/threat-actor.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 136f219..d434084 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6389,7 +6389,20 @@ }, "uuid": "769aeaa6-d193-4e90-a818-d74c6ff7b845", "value": "STOLEN PENCIL" + }, + { + "description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.", + "meta": { + "refs": [ + "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" + ], + "synonyms": [ + "Blind Eagle" + ] + }, + "uuid": "ae1c64ff-5a37-4291-97f8-ea402c63efd0", + "value": "APT-C-36" } ], - "version": 93 + "version": 94 } From 769e0002ef792e9c1f8ddd671af8789abc848b18 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 8 Mar 2019 08:10:42 +0100 Subject: [PATCH 4/7] chg: [tools] jq all the things --- clusters/tool.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index d98e045..aae74e2 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7554,14 +7554,14 @@ "value": "BabyShark" }, { - "uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f", - "value": "SLUB Backdoor", "description": "The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication).", "meta": { "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/" ] - } + }, + "uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f", + "value": "SLUB Backdoor" } ], "version": 112 From 4f3e6335b51df02c7d0950b9dfe325ab78ffc62e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Sat, 9 Mar 2019 06:29:26 +0100 Subject: [PATCH 5/7] fix: Wrong (duplicate) value. --- clusters/election-guidelines.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/election-guidelines.json b/clusters/election-guidelines.json index 9e62d16..74f440d 100644 --- a/clusters/election-guidelines.json +++ b/clusters/election-guidelines.json @@ -161,7 +161,7 @@ ] }, "uuid": "54976d3e-7e6f-4863-9338-bc9e5041b9f2", - "value": "Hacking candidate laptops or email accounts" + "value": "Hacking/misconfiguration of government servers, communication networks, or endpoints" }, { "description": "Hacking government websites, spreading misinformation on the election process, registered parties/candidates, or results", @@ -332,5 +332,5 @@ "value": "Defacement, DoS or overload of websites or other systems used for publication of the results" } ], - "version": 1 + "version": 2 } From 6fb1303570ec5abefe7561802481401df406e25f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 10 Mar 2019 10:47:34 +0100 Subject: [PATCH 6/7] chg: [threat-actor] IRIDIUM added Ref: https://resecurity.com/blog/parliament_races/ --- clusters/threat-actor.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d434084..e4f7c21 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6402,7 +6402,19 @@ }, "uuid": "ae1c64ff-5a37-4291-97f8-ea402c63efd0", "value": "APT-C-36" + }, + { + "value": "IRIDIUM", + "uuid": "29cfe970-5446-4cfc-a2da-00e9f49e02ba", + "description": "Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States)", + "meta": { + "refs": [ + "https://resecurity.com/blog/parliament_races/", + "https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986" + ], + "country": "IR" + } } ], - "version": 94 + "version": 95 } From eb665e288368dd2046d7c284b8f14eef7bd45690 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 10 Mar 2019 11:15:13 +0100 Subject: [PATCH 7/7] chg: [threat-actor] jq all the things --- clusters/threat-actor.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e4f7c21..bd910c1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6404,16 +6404,16 @@ "value": "APT-C-36" }, { - "value": "IRIDIUM", - "uuid": "29cfe970-5446-4cfc-a2da-00e9f49e02ba", "description": "Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States)", "meta": { + "country": "IR", "refs": [ "https://resecurity.com/blog/parliament_races/", "https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986" - ], - "country": "IR" - } + ] + }, + "uuid": "29cfe970-5446-4cfc-a2da-00e9f49e02ba", + "value": "IRIDIUM" } ], "version": 95