MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

merge

pull/264/head
Deborah Servili 2018-09-19 16:01:46 +02:00
parent 3f22dbd17d 79146b9d10
commit 0a724bee3d
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
2 changed files with 74 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
clusters/threat-actor.json
View File

@ -338,6 +338,7 @@
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "KP",
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
@ -2718,14 +2719,25 @@
"value": "Deadeye Jackal"
},
{
"description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro.",
"description": "Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.",
"meta": {
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-target-category": [
"Civil society",
"Military",
"Government"
],
"country": "PK",
"refs": [
"http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf"
"http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf",
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf",
"https://www.amnesty.org/en/documents/asa33/8366/2018/en/",
"https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/"
],
"synonyms": [
"C-Major"
"C-Major",
"Transparent Tribe",
"Mythic Leopard"
]
},
"uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905",
@ -2834,6 +2846,7 @@
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "IN",
"refs": [
"https://securelist.com/blog/research/75328/the-dropping-elephant-actor/",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
@ -2866,16 +2879,6 @@
"uuid": "18d473a5-831b-47a5-97a1-a32156299825",
"value": "Dropping Elephant"
},
{
"description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.",
"meta": {
"refs": [
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
]
},
"uuid": "0b36d80d-5966-4c91-945b-1ac85552aa7b",
"value": "Operation Transparent Tribe"
},
{
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.",
"meta": {
@ -3030,6 +3033,7 @@
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "US",
"refs": [
"https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/",
"https://www.cfr.org/interactive/cyber-operations/project-sauron"
@ -3803,6 +3807,7 @@
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"country": "VN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/",
@ -4463,6 +4468,7 @@
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "ES",
"refs": [
"https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/",
"https://www.cfr.org/interactive/cyber-operations/careto"
@ -4821,6 +4827,7 @@
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
"https://www.cfr.org/interactive/cyber-operations/muddywater"
@ -5021,16 +5028,6 @@
"uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
"value": "APT35"
},
{
"description": "Kaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks appear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly espionage they involve gaining access to top legislative, executive and judicial bodies around the world.",
"meta": {
"refs": [
"https://securelist.com/operation-parliament-who-is-doing-what/85237/"
]
},
"uuid": "20f2d3a4-3ee7-11e8-8e78-837fd23517e0",
"value": "Operation Parliament"
},
{
"description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.",
"meta": {
@ -5262,6 +5259,7 @@
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"mode-of-operation": "IT network limited, information gathering against industrial orgs",
"refs": [
"https://dragos.com/adversaries.html",
@ -5384,16 +5382,6 @@
"uuid": "4af45fea-72d3-11e8-846c-d37699506c8d",
"value": "LuckyMouse"
},
{
"description": "Symantec have been monitoring Thrip since 2013 when they uncovered a spying campaign being orchestrated from systems based in China. Since their initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. All of these tools, with the exception of Mimikatz (which is almost always used maliciously), have legitimate uses.",
"meta": {
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
]
},
"uuid": "1533bc1a-745a-11e8-90e3-efa3e975fef3s",
"value": "Thrip"
},
{
"description": "The Rancor groups attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.",
"meta": {
@ -5413,7 +5401,8 @@
"cfr-target-category": [
"Government",
"Civil society"
]
],
"country": "CN"
},
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
"value": "RANCOR"
@ -5498,7 +5487,8 @@
"cfr-target-category": [
"Government",
"Private sector"
]
],
"country": "CN"
},
"uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762"
},
@ -5507,7 +5497,8 @@
"description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-parliament"
"https://www.cfr.org/interactive/cyber-operations/operation-parliament",
"https://securelist.com/operation-parliament-who-is-doing-what/85237/"
],
"cfr-suspected-victims": [
"Palestine",
@ -5588,7 +5579,8 @@
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
],
"country": "CN"
},
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"related": [
@ -5629,7 +5621,8 @@
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Civil society"
]
],
"country": "CN"
},
"uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
"related": [
@ -5656,7 +5649,8 @@
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Civil society"
]
],
"country": "CN"
},
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339"
},
@ -5665,7 +5659,8 @@
"description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/thrip"
"https://www.cfr.org/interactive/cyber-operations/thrip",
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
],
"cfr-suspected-victims": [
"United States"
@ -5700,7 +5695,8 @@
"cfr-target-category": [
"Government",
"Civil society"
]
],
"country": "PK"
},
"uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c"
},
@ -5713,7 +5709,31 @@
]
},
"uuid": "abd89986-b1b0-11e8-b857-efe290264006"
},
{
"value": "Bahamut",
"description": "Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.",
"meta": {
"refs": [
"https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
]
},
"uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7"
},
{
"value": "Iron Group",
"description": "Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.",
"meta": {
"refs": [
"https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/"
],
"synonyms": [
"Iron Cyber Group"
]
},
"uuid": "6a0ea861-229a-45a6-98f5-228f69b43905"
}
],
"version": 58
"version": 61
}

13
clusters/tool.json
View File

@ -5783,7 +5783,18 @@
"Government",
"Private sector"
]
}
},
"uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d"
},
{
"value": "Xbash",
"description": "Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
]
},
"uuid": "10c981cc-4ef1-4719-8ed7-c5e4c2f6c7a3"
}
],
"version": 88