MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'MISP/main'

pull/964/head
Christophe Vandeplas 2024-04-23 10:26:52 +02:00
parent 83ffa6fa6f 973eafb521
commit 1651787577
No known key found for this signature in database
GPG Key ID: BDC48619FFDC5A5B
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
clusters/threat-actor.json
View File

@ -15874,6 +15874,39 @@
],
"uuid": "97c6d972-a3af-4a21-94a2-0f5e09c7320e",
"value": "UNC3236"
},
{
"description": "Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.",
"meta": {
"refs": [
"https://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html",
"https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web"
]
},
"uuid": "0e4ed0ab-87e2-4588-8fc0-3d720e0efebd",
"value": "GhostR"
},
{
"description": "UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data. They exploit vulnerabilities in firewall devices to move laterally within victim networks, focusing on obtaining domain backup keys and active directory credentials. The actor deploys a custom Python backdoor named UPSTYLE to execute commands and download additional tools. UTA0218 is likely state-backed, utilizing a mix of infrastructure including VPNs and compromised routers to store malicious files.",
"meta": {
"refs": [
"https://www.enigmasoftware.com/cve20243400vulnerability-removal/",
"https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/"
]
},
"uuid": "ee8b8fc4-59f4-4442-a4e6-3686d09c6509",
"value": "UTA0218"
},
{
"description": "UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.",
"meta": {
"refs": [
"https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/",
"https://cert.gov.ua/article/6277849"
]
},
"uuid": "f5f6d4eb-1ec3-494e-807d-5b767122f9b2",
"value": "UAC-0149"
}
],
"version": 307