This commit is contained in:
Delta-Sierra 2024-04-19 13:28:05 +02:00
commit f9e40fc309
5 changed files with 3406 additions and 1979 deletions

File diff suppressed because it is too large Load diff

View file

@ -8118,7 +8118,27 @@
},
"uuid": "da228f94-4412-4226-9113-e19a55cd4aa5",
"value": "Zimbabwe"
},
{
"meta": {
"capital": "El Aaiún",
"currency": "Sahrawi peseta",
"iso-code": [
"EH"
],
"official-languages": [
"Arabic",
"Spanish"
],
"synonyms": [
"Sahrawi Republic",
"Western Sahara"
],
"top-level-domain": ".eh"
},
"uuid": "e21d3329-62f1-4ee3-8441-586d988a22e2",
"value": "Sahrawi Arab Democratic Republic"
}
],
"version": 8
"version": 9
}

View file

@ -2828,7 +2828,10 @@
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine",
"https://cert.gov.ua/article/405538",
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068"
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068",
"https://packetstormsecurity.com/news/view/35790/Recent-OT-And-Espionage-Attacks-Linked-To-Russias-Sandworm-Now-Named-APT44.html",
"https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235",
"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"
],
"synonyms": [
"Quedagh",
@ -2843,7 +2846,8 @@
"FROZENBARENTS",
"UAC-0113",
"Seashell Blizzard",
"UAC-0082"
"UAC-0082",
"APT44"
],
"targeted-sector": [
"Electric",
@ -5631,7 +5635,8 @@
"PLA Navy",
"MAVERICK PANDA",
"BRONZE EDISON",
"Sykipot"
"SODIUM",
"Salmon Typhoon"
]
},
"uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
@ -7069,7 +7074,10 @@
"https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader",
"https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european",
"https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW",
"https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf",
"https://thecyberwire.com/podcasts/microsoft-threat-intelligence/4/notes"
],
"synonyms": [
"BRONZE PRESIDENT",
@ -7080,7 +7088,10 @@
"Earth Preta",
"TA416",
"Stately Taurus",
"LuminousMoth"
"LuminousMoth",
"Polaris",
"TANTALUM",
"Twill Typhoon"
]
},
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
@ -8103,7 +8114,23 @@
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists"
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists",
"https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities",
"https://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy",
"https://intrusiontruth.wordpress.com/2023/05/12/the-illustrious-graduates-of-wuhan-kerui",
"https://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company",
"https://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise",
"https://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng",
"https://intrusiontruth.wordpress.com/2023/05/17/missing-links",
"https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Common-TTPs-of-attacks-against-industrial-organizations-implants-for-remote-access-En.pdf",
"https://asec.ahnlab.com/ko/55070",
"https://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19",
"https://intrusiontruth.wordpress.com/2023/07/07/one-man-and-his-lasers",
"https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2023-02-bfv-cyber-brief.pdf?__blob=publicationFile&v=6",
"https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived",
"https://www.justice.gov/opa/media/1345141/dl?inline",
"https://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity",
"https://harfanglab.io/en/insidethelab/apt31-indictment-analysis/"
],
"synonyms": [
"ZIRCONIUM",
@ -8179,7 +8206,9 @@
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt",
"https://unit42.paloaltonetworks.com/atoms/mangataurus/",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html",
"https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html"
],
"synonyms": [
"CIRCUIT PANDA",
@ -8189,7 +8218,8 @@
"G0098",
"T-APT-03",
"Manga Taurus",
"Red Djinn"
"Red Djinn",
"Earth Hundun"
]
},
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
@ -8674,7 +8704,8 @@
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf"
"https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
"https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html"
],
"synonyms": [
"G0096",
@ -8692,7 +8723,8 @@
"Earth Baku",
"Amoeba",
"HOODOO",
"Brass Typhoon"
"Brass Typhoon",
"Earth Freybug"
]
},
"related": [
@ -10856,7 +10888,12 @@
"https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools",
"https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf"
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf",
"https://securelist.com/apt-annual-review-2021/105127",
"https://securelist.com/apt-trends-report-q2-2021/103517",
"https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jolly-jellyfish/NCSC-MAR-Jolly-Jellyfish.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/pdf/2022-year-in-retrospect-report.pdf",
"https://www.youtube.com/watch?v=-7Swd1ZetiQ"
],
"synonyms": [
"CHROMIUM",
@ -10867,7 +10904,9 @@
"AQUATIC PANDA",
"Red Dev 10",
"RedHotel",
"Charcoal Typhoon"
"Charcoal Typhoon",
"BountyGlad",
"Red Scylla"
]
},
"related": [
@ -12333,10 +12372,18 @@
"country": "CN",
"refs": [
"https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations",
"https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"
"https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/",
"https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/",
"https://www.dragos.com/threat/voltzite/"
],
"synonyms": [
"BRONZE SILHOUETTE"
"BRONZE SILHOUETTE",
"VANGUARD PANDA",
"UNC3236",
"Insidious Taurus",
"VOLTZITE",
"Dev-0391",
"Storm-0391"
]
},
"uuid": "f02679fa-5e85-4050-8eb5-c2677d93306f",
@ -12579,7 +12626,11 @@
"https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/",
"https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr",
"https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
"https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/",
"https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/",
"https://www.youtube.com/watch?v=khywfhJv4H8",
"https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf"
]
},
"uuid": "5b30bcb8-4923-45cc-bc89-29651ca5d54e",
@ -14460,7 +14511,8 @@
"https://www.crowdstrike.com/global-threat-report/"
],
"synonyms": [
"Ethereal Panda"
"Ethereal Panda",
"Storm-0919"
]
},
"uuid": "50ee2b1b-979e-4507-8747-8597a95938f6",
@ -14821,11 +14873,13 @@
"https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/",
"https://paper.seebug.org/3031/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11",
"https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/"
"https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/",
"https://gbhackers.com/vedalia-apt-group-exploits/"
],
"synonyms": [
"OSMIUM",
"Konni"
"Konni",
"Vedalia"
]
},
"uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488",
@ -15535,6 +15589,86 @@
"uuid": "0b158297-ee47-48ef-9346-0cb0f9cb348a",
"value": "UNC5174"
},
{
"description": "CyberNiggers is a threat group known for breaching various organizations, including the US military, federal contractors, and multinational corporations like General Electric. Led by the prominent member IntelBroker, they specialize in selling access to compromised systems and stealing sensitive data, such as military files and personally identifiable information. The group has targeted a diverse portfolio of organizations, showcasing their strategic approach to gathering varied sets of information. Their activities raise concerns about national security, individual privacy, and the need for robust cybersecurity measures to mitigate the impact of cyber adversaries.",
"meta": {
"refs": [
"https://socradar.io/acuity-federal-breach-okta-leak-dcrat-exploit/",
"https://socradar.io/u-s-faces-cyber-onslaught-fico-breach-id-cc-military-data-sale/",
"https://socradar.io/dark-web-profile-cyberniggers/"
]
},
"uuid": "21ad5aad-0a55-457d-b94d-3b4565e82e0a",
"value": "CyberNiggers"
},
{
"description": "Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails with disguised Agent Tesla attachments protected by Cassandra Protector. They compromised servers by installing Plesk and RoundCube, connected via SSH and RDP, and used advanced obfuscation methods to evade detection. Bignosa collaborated with another cybercriminal named Gods, who provided advice and assistance in their malicious activities. The actor has been linked to multiple phishing attacks and malware distribution campaigns, showcasing a high level of sophistication in their operations.",
"meta": {
"country": "KE",
"refs": [
"https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/"
]
},
"uuid": "07232925-bd1b-49a9-adca-46536ff6fdd8",
"value": "Bignosa"
},
{
"description": "The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns. They leverage compromised Apple iMessage accounts to send fraudulent messages warning of undeliverable packages, aiming to collect personally identifying information and payment credentials. The group offers smishing kits for sale on platforms like Telegram, enabling other cybercriminals to launch independent attacks. \"Smishing Triad\" has expanded its operations to target UAE citizens, using geo-filtering to focus on victims in the Emirates.",
"meta": {
"country": "CN",
"refs": [
"https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens"
]
},
"uuid": "85db04b5-1ec2-4e25-908a-f53576bd175a",
"value": "Smishing Triad"
},
{
"description": "Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, and military infrastructure. They have claimed responsibility for launching cyberattacks resulting in substantial damage and data exfiltration. The group allegedly used the Fuxnet malware to target sensor gateways connected to internet-connected sensors, impacting infrastructure monitoring systems. Blackjack has also been involved in attacks against companies like Moscollector, causing disruptions and stealing sensitive data.",
"meta": {
"country": "UA",
"refs": [
"https://www.enigmasoftware.com/fuxneticsmalware-removal/",
"https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/",
"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware",
"https://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/"
]
},
"uuid": "a5aa9b72-2bfb-427c-97fc-6ec04357233b",
"value": "BlackJack"
},
{
"description": "CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They use the RotBot loader family and XClient stealer to steal victim information, with hardcoded Vietnamese words in their payloads. CoralRaider operates from Hanoi, Vietnam, and uses a Telegram bot as a C2 channel for their malicious campaigns. Their activities include system reconnaissance, data exfiltration, and targeting victims in multiple countries in the region.",
"meta": {
"country": "VN",
"refs": [
"https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/"
]
},
"uuid": "20927a3f-d011-4e22-8268-0938d6816a13",
"value": "CoralRaider"
},
{
"description": "RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.",
"meta": {
"country": "RO",
"refs": [
"https://sysdig.com/blog/rubycarp-romanian-botnet-group/"
]
},
"uuid": "2742b229-02f4-40d0-9b99-91844a2b030e",
"value": "RUBYCARP"
},
{
"description": "Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling. They conduct phishing attacks to trick targets into installing malicious Android applications and serve credential-harvesting pages to Windows-based targets. Their infrastructure targets both Windows and Android users, with the campaign starting with spear-phishing emails containing requests to install specific mobile apps or related themes. The campaign is in its early stages, with potential for additional malware variants and infrastructure development.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/starry-addax/"
]
},
"uuid": "579fde0d-0840-4e49-ad62-405ce338f5a6",
"value": "Starry Addax"
},
{
"description": "",
"meta": {
@ -15742,5 +15876,5 @@
"value": "UNC3236"
}
],
"version": 306
"version": 307
}

41
tools/NER/extract.py Normal file
View file

@ -0,0 +1,41 @@
import os
import json
import argparse
thisDir = os.path.dirname(__file__)
clusters = []
pathClusters = os.path.join(thisDir, '../../clusters')
pathGalaxies = os.path.join(thisDir, '../../galaxies')
skip_list = ["cancer.json", "handicap.json", "ammunitions.json", "firearms.json"]
for f in os.listdir(pathGalaxies):
if '.json' in f:
with open(os.path.join(pathGalaxies, f), 'r') as f_in:
galaxy_data = json.load(f_in)
if galaxy_data.get('namespace') != 'deprecated':
if f not in skip_list:
clusters.append(f)
clusters.sort()
for cluster in clusters:
fullPathClusters = os.path.join(pathClusters, cluster)
with open(fullPathClusters) as fp:
c = json.load(fp)
cluster_name = cluster.split(".")[0].upper()
l = f'{cluster_name}'
for v in c['values']:
if 'uuid' not in v:
continue
l += f",{v['value']}"
if 'meta' not in v:
continue
if 'synonyms' not in v['meta']:
continue
for synonym in v['meta']['synonyms']:
l += f',{synonym}'
print(l)

View file

@ -11,7 +11,7 @@ ghp-import==2.1.0
gitdb==4.0.11
GitPython==3.1.41
graphviz==0.20.1
idna==3.6
idna==3.7
Jinja2==3.1.3
Markdown==3.5.2
MarkupSafe==2.1.4