From 5f8094d16f92af050a5bb6efef7a2a20d9bd7eac Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 24 May 2020 23:14:43 +0530 Subject: [PATCH 1/9] fix --- clusters/threat-actor.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 64579ae..01c602b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -979,8 +979,10 @@ "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", - "https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85", - "https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d" + "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/" + "https://www.crowdstrike.com/blog/storm-chasing/", + "https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf" ], "synonyms": [ "Black Vine", @@ -1124,7 +1126,6 @@ "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret", "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", - "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf", "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", @@ -7433,7 +7434,8 @@ "refs": [ "https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/", "https://duo.com/decipher/apt-groups-moving-down-the-supply-chain", - "https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf", + "https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists", + "https:/twitter.com/bkMSFT/status/1201876664667582466", "http://www.secureworks.com/research/threat-profiles/bronze-vinewood" ], "synonyms": [ From fbd351590a491748131cb3cdf41e2b27f1e4d6a0 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 24 May 2020 23:18:54 +0530 Subject: [PATCH 2/9] Update threat-actor.json --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 01c602b..2532e5a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -979,7 +979,7 @@ "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", - "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/" + "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", "https://www.crowdstrike.com/blog/storm-chasing/", "https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf" From 143bd521be2cbe34b3c721cbf3a235ef00dde656 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 26 May 2020 09:35:01 -0400 Subject: [PATCH 3/9] Add CrackMapExec, metasploit, Cobalt Strike and Covenant --- clusters/tool.json | 63 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index af6a544..fe882b2 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8032,7 +8032,68 @@ "related": [], "uuid": "a2d1cdd6-1c3d-47b3-803b-9a3fffe2f051", "value": "Sedkit" + }, + { + "description": "Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.", + "meta": { + "refs": [ + "https://github.com/cobbr/Covenant/" + ], + "synonyms": [], + "type": [ + "post-exploitation framework" + ] + }, + "related": [], + "uuid": "01a4f3c4-a578-49bd-b6ab-eb3b7d27d8c1", + "value": "Covenant" + }, + { + "description": "Cobalt Strike is a post-exploitation framework.", + "meta": { + "refs": [ + "https://www.cobaltstrike.com" + ], + "synonyms": [], + "type": [ + "post-exploitation framework" + ] + }, + "related": [], + "uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d", + "value": "Cobalt Strike" + }, + { + "description": "Penetration testing framework.", + "meta": { + "refs": [ + "https://www.metasploit.com" + ], + "synonyms": [], + "type": [ + "exploitation framework" + ] + }, + "related": [], + "uuid": "be419332-61ab-45f0-979e-56f78a223c8e", + "value": "metasploit" + }, + { + "description": "A swiss army knife for pentesting networks.", + "meta": { + "refs": [ + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf" + ], + "synonyms": [], + "type": [ + "exploitation framework" + ] + }, + "related": [], + "uuid": "e83d1296-027a-4f30-98e0-19622967d5c4", + "value": "CrackMapExec" } ], - "version": 135 + "version": 136 } From 291fb41502e57cabe941f57a523a8d92c1b7fbad Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 26 May 2020 09:50:43 -0400 Subject: [PATCH 4/9] Remove duplicate TA (Chafer), fix symantec link, add synonyme for DarkHotel --- clusters/threat-actor.json | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 64579ae..0b8ad29 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -391,7 +391,8 @@ "https://www.cfr.org/interactive/cyber-operations/darkhotel", "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians", "https://attack.mitre.org/groups/G0012/", - "http://www.secureworks.com/research/threat-profiles/tungsten-bridge" + "http://www.secureworks.com/research/threat-profiles/tungsten-bridge", + "https://www.antiy.cn/research/notice&report/research_report/20200522.html" ], "synonyms": [ "DUBNIUM", @@ -405,7 +406,8 @@ "Shadow Crane", "APT-C-06", "SIG25", - "TUNGSTEN BRIDGE" + "TUNGSTEN BRIDGE", + "T-APT-02" ] }, "related": [ @@ -4139,24 +4141,12 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ] }, "uuid": "03f13462-003c-4296-8784-bccea16710a9", "value": "Cadelle" }, - { - "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", - "meta": { - "attribution-confidence": "50", - "country": "IR", - "refs": [ - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" - ] - }, - "uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3", - "value": "Chafer" - }, { "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.", "meta": { @@ -7138,6 +7128,8 @@ { "description": "APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.", "meta": { + "attribution-confidence": "50", + "country": "IR", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", @@ -8347,5 +8339,5 @@ "value": "COBALT KATANA" } ], - "version": 159 + "version": 160 } From 171f272a1ed5463c24c4a3c923437e6243fb4a1e Mon Sep 17 00:00:00 2001 From: "Daniel Plohmann (jupiter)" Date: Wed, 27 May 2020 09:27:52 +0200 Subject: [PATCH 5/9] default to HTTPS to be consistent with other links to same page --- clusters/threat-actor.json | 60 +++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1b07843..f00cdc8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -391,7 +391,7 @@ "https://www.cfr.org/interactive/cyber-operations/darkhotel", "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians", "https://attack.mitre.org/groups/G0012/", - "http://www.secureworks.com/research/threat-profiles/tungsten-bridge", + "https://www.secureworks.com/research/threat-profiles/tungsten-bridge", "https://www.antiy.cn/research/notice&report/research_report/20200522.html" ], "synonyms": [ @@ -1133,7 +1133,7 @@ "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", "https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018", "https://attack.mitre.org/groups/G0045/", - "http://www.secureworks.com/research/threat-profiles/bronze-riverside" + "https://www.secureworks.com/research/threat-profiles/bronze-riverside" ], "synonyms": [ "APT10", @@ -1266,7 +1266,7 @@ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", "https://attack.mitre.org/groups/G0004/", - "http://www.secureworks.com/research/threat-profiles/bronze-palace" + "https://www.secureworks.com/research/threat-profiles/bronze-palace" ], "synonyms": [ "Vixen Panda", @@ -1467,7 +1467,7 @@ "refs": [ "https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/", "http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf", - "http://www.secureworks.com/research/threat-profiles/bronze-woodland" + "https://www.secureworks.com/research/threat-profiles/bronze-woodland" ], "synonyms": [ "BRONZE WOODLAND", @@ -2019,7 +2019,7 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", "https://www.brighttalk.com/webcast/10703/275683", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "http://www.secureworks.com/research/threat-profiles/cobalt-trinity" + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity" ], "synonyms": [ "APT 33", @@ -2511,7 +2511,7 @@ "https://www.cfr.org/interactive/cyber-operations/dukes", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", - "http://www.secureworks.com/research/threat-profiles/iron-hemlock" + "https://www.secureworks.com/research/threat-profiles/iron-hemlock" ], "synonyms": [ "Dukes", @@ -2604,7 +2604,7 @@ "https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit", "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/", "https://attack.mitre.org/groups/G0010/", - "http://www.secureworks.com/research/threat-profiles/iron-hunter" + "https://www.secureworks.com/research/threat-profiles/iron-hunter" ], "synonyms": [ "Turla", @@ -2859,7 +2859,7 @@ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://attack.mitre.org/groups/G0046/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-niagara" + "https://www.secureworks.com/research/threat-profiles/gold-niagara" ], "synonyms": [ "Carbanak", @@ -3117,7 +3117,7 @@ "https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/", "https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678", "https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/", - "http://www.secureworks.com/research/threat-profiles/nickel-gladstone" + "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" ], "synonyms": [ "Operation DarkSeoul", @@ -3303,7 +3303,7 @@ "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", "https://s.tencent.com/research/report/669.html", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", - "http://www.secureworks.com/research/threat-profiles/copper-fieldstone" + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone" ], "synonyms": [ "C-Major", @@ -3436,7 +3436,7 @@ "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://securelist.com/the-dropping-elephant-actor/75328/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "http://www.secureworks.com/research/threat-profiles/zinc-emerson" + "https://www.secureworks.com/research/threat-profiles/zinc-emerson" ], "synonyms": [ "Chinastrats", @@ -3537,7 +3537,7 @@ "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware", "https://attack.mitre.org/groups/G0017/", "https://attack.mitre.org/groups/G0002/", - "http://www.secureworks.com/research/threat-profiles/bronze-overbrook" + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook" ], "synonyms": [ "Moafee", @@ -3883,7 +3883,7 @@ "https://www.clearskysec.com/oilrig/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/", "https://attack.mitre.org/groups/G0049/", - "http://www.secureworks.com/research/threat-profiles/cobalt-gypsy" + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" ], "synonyms": [ "Twisted Kitten", @@ -4246,7 +4246,7 @@ "https://en.wikipedia.org/wiki/Stuxnet", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://attack.mitre.org/groups/G0020/", - "http://www.secureworks.com/research/threat-profiles/platinum-terminal" + "https://www.secureworks.com/research/threat-profiles/platinum-terminal" ], "synonyms": [ "Tilded Team", @@ -4514,7 +4514,7 @@ "https://github.com/eset/malware-research/tree/master/oceanlotus", "https://www.cfr.org/interactive/cyber-operations/ocean-lotus", "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware", - "http://www.secureworks.com/research/threat-profiles/tin-woodlawn" + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" ], "synonyms": [ "OceanLotus Group", @@ -5012,7 +5012,7 @@ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", "https://www.cfr.org/interactive/cyber-operations/mofang", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", - "http://www.secureworks.com/research/threat-profiles/bronze-walker" + "https://www.secureworks.com/research/threat-profiles/bronze-walker" ], "synonyms": [ "Superman", @@ -6242,7 +6242,7 @@ "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://attack.mitre.org/groups/G0027/", - "http://www.secureworks.com/research/threat-profiles/bronze-union" + "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "Emissary Panda", @@ -6558,7 +6558,7 @@ "https://www.cfr.org/interactive/cyber-operations/mustang-panda", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "http://www.secureworks.com/research/threat-profiles/bronze-president" + "https://www.secureworks.com/research/threat-profiles/bronze-president" ], "synonyms": [ "BRONZE PRESIDENT", @@ -6910,7 +6910,7 @@ "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", "https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/", "https://krebsonsecurity.com/tag/dnspionage/", - "http://www.secureworks.com/research/threat-profiles/cobalt-edgewater" + "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater" ], "synonyms": [ "COBALT EDGEWATER" @@ -7019,7 +7019,7 @@ "https://threatpost.com/ta505-servhelper-malware/140792/", "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", - "http://www.secureworks.com/research/threat-profiles/gold-tahoe" + "https://www.secureworks.com/research/threat-profiles/gold-tahoe" ], "synonyms": [ "SectorJ04 Group", @@ -7055,7 +7055,7 @@ "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "http://www.secureworks.com/research/threat-profiles/gold-ulrick" + "https://www.secureworks.com/research/threat-profiles/gold-ulrick" ], "synonyms": [ "TEMP.MixMaster" @@ -7071,7 +7071,7 @@ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", - "http://www.secureworks.com/research/threat-profiles/gold-crestwood" + "https://www.secureworks.com/research/threat-profiles/gold-crestwood" ], "synonyms": [ "TA542", @@ -7139,7 +7139,7 @@ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", "https://attack.mitre.org/groups/G0087/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "http://www.secureworks.com/research/threat-profiles/cobalt-hickman" + "https://www.secureworks.com/research/threat-profiles/cobalt-hickman" ], "synonyms": [ "APT 39", @@ -7176,7 +7176,7 @@ "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "http://www.secureworks.com/research/threat-profiles/gold-lowell" + "https://www.secureworks.com/research/threat-profiles/gold-lowell" ], "synonyms": [ "GOLD LOWELL" @@ -7276,7 +7276,7 @@ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", - "http://www.secureworks.com/research/threat-profiles/gold-swathmore" + "https://www.secureworks.com/research/threat-profiles/gold-swathmore" ], "synonyms": [ "GOLD SWATHMORE" @@ -7408,7 +7408,7 @@ "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities", "https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", - "http://www.secureworks.com/research/threat-profiles/cobalt-dickens" + "https://www.secureworks.com/research/threat-profiles/cobalt-dickens" ], "synonyms": [ "COBALT DICKENS", @@ -7428,7 +7428,7 @@ "https://duo.com/decipher/apt-groups-moving-down-the-supply-chain", "https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists", "https:/twitter.com/bkMSFT/status/1201876664667582466", - "http://www.secureworks.com/research/threat-profiles/bronze-vinewood" + "https://www.secureworks.com/research/threat-profiles/bronze-vinewood" ], "synonyms": [ "APT 31", @@ -7796,7 +7796,7 @@ "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", - "http://www.secureworks.com/research/threat-profiles/cobalt-lyceum" + "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum" ], "synonyms": [ "COBALT LYCEUM" @@ -8314,7 +8314,7 @@ "description": "COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.", "meta": { "refs": [ - "http://www.secureworks.com/research/threat-profiles/cobalt-juno" + "https://www.secureworks.com/research/threat-profiles/cobalt-juno" ], "synonyms": [ "APT-C-38 (QiAnXin)", @@ -8329,7 +8329,7 @@ "description": "COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.", "meta": { "refs": [ - "http://www.secureworks.com/research/threat-profiles/cobalt-katana" + "https://www.secureworks.com/research/threat-profiles/cobalt-katana" ], "synonyms": [ "Hive0081 (IBM)", From a705d1402f906fb3baae7653ef9498b198027c31 Mon Sep 17 00:00:00 2001 From: "Daniel Plohmann (jupiter)" Date: Wed, 27 May 2020 09:49:58 +0200 Subject: [PATCH 6/9] fixing deadlinks where possible --- clusters/threat-actor.json | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f00cdc8..714a65a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -181,7 +181,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee", @@ -386,7 +386,7 @@ "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", "https://securelist.com/blog/research/66779/the-darkhotel-apt/", "https://securelist.com/the-darkhotel-apt/66779/", - "http://drops.wooyun.org/tips/11726", + "https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", "https://www.cfr.org/interactive/cyber-operations/darkhotel", "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians", @@ -511,7 +511,7 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", + "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://www.cfr.org/interactive/cyber-operations/apt-17", "https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/", @@ -649,7 +649,6 @@ "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://www.cfr.org/interactive/cyber-operations/axiom", "https://securelist.com/games-are-over/70991/", - "https://vsec.com.vn/en/blogen/initial-winnti-analysis-against-vietnam-game-company.html", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", @@ -736,7 +735,7 @@ "country": "CN", "refs": [ "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf", + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", "https://www.cfr.org/interactive/cyber-operations/deep-panda", "https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/", "https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/", @@ -1047,7 +1046,7 @@ "country": "CN", "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/", "https://www.cfr.org/interactive/cyber-operations/iron-tiger" @@ -1633,7 +1632,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761", @@ -3008,7 +3007,7 @@ "attribution-confidence": "50", "country": "RU", "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd", @@ -3019,7 +3018,7 @@ "attribution-confidence": "50", "country": "KP", "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ], "synonyms": [ "OperationTroy", @@ -3184,7 +3183,7 @@ "attribution-confidence": "50", "country": "IN", "refs": [ - "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" + "https://kung_foo.keybase.pub/papers_and_presentations/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" ], "synonyms": [ "Appin", @@ -3251,8 +3250,8 @@ "refs": [ "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", - "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", - "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "https://www.cfr.org/interactive/cyber-operations/snowglobe", "https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/" @@ -4029,7 +4028,6 @@ "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", - "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks", "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/", "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/", "https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website", @@ -4682,7 +4680,7 @@ "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", - "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf", + "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://attack.mitre.org/groups/G0061" ] @@ -4963,7 +4961,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf" ] }, "uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c", @@ -5451,7 +5449,7 @@ { "meta": { "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50", @@ -5514,7 +5512,7 @@ { "meta": { "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "445c7b62-028b-455e-9d65-74899b7006a4", @@ -5592,7 +5590,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://en.hackdig.com/02/39538.htm" + "http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm" ] }, "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994", @@ -7989,7 +7987,7 @@ "meta": { "refs": [ "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", - "http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf" + "https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf" ], "since": "2014", "synonyms": [ @@ -8341,5 +8339,5 @@ "value": "COBALT KATANA" } ], - "version": 160 + "version": 161 } From 2a074f23fd861aeeee35fbb4adc2079193339109 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 27 May 2020 10:02:16 +0200 Subject: [PATCH 7/9] chg: [preventive-measure] packet filtering added --- clusters/preventive-measure.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index f8fb4d9..a004cf2 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -297,7 +297,20 @@ }, "uuid": "3e7a7fb5-8db2-4033-8f4f-d76721819765", "value": "ACL" + }, + { + "description": "Limit access to a service by network/packet filtering the access to", + "meta": { + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "refs": [ + "https://en.wikipedia.org/wiki/Firewall_(computing)" + ] + }, + "uuid": "19c98fa6-45f7-47cc-830d-2d4f39301b06", + "value": "Packet filtering" } ], - "version": 3 + "version": 4 } From 9c25d5e8c5c0e858f584e5052bc5b74a40f34166 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 4 Jun 2020 17:18:45 +0200 Subject: [PATCH 8/9] Update threat-actor.json Cycldek --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 714a65a..572c9cf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1208,10 +1208,12 @@ "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/", "https://www.cfr.org/interactive/cyber-operations/hellsing", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html" ], "synonyms": [ "Goblin Panda", + "Conimes", "Cycldek" ] }, @@ -8339,5 +8341,5 @@ "value": "COBALT KATANA" } ], - "version": 161 + "version": 162 } From f042f98247f00afadffc5f1b2fd0fc250b9ddd45 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Mon, 8 Jun 2020 14:09:39 +0200 Subject: [PATCH 9/9] Update threat-actor.json Higaisa --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 572c9cf..a42411e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8304,7 +8304,8 @@ ], "country": "KR", "refs": [ - "https://s.tencent.com/research/report/836.html" + "https://s.tencent.com/research/report/836.html", + "https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" ] }, "uuid": "a9df6cb7-74ff-482f-b23b-ac40e975a31a", @@ -8341,5 +8342,5 @@ "value": "COBALT KATANA" } ], - "version": 162 + "version": 163 }