MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #552 from danielplohmann/reference-fixes 

Reference fixes
pull/553/head
Alexandre Dulaunoy 2020-05-29 09:26:05 +02:00 committed by GitHub
parent 2a074f23fd a705d1402f
commit 3867b1f602
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 48 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
clusters/threat-actor.json
View File

@ -181,7 +181,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee",
@ -386,12 +386,12 @@
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
"https://securelist.com/blog/research/66779/the-darkhotel-apt/",
"https://securelist.com/the-darkhotel-apt/66779/",
"http://drops.wooyun.org/tips/11726",
"https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726",
"https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
"https://www.cfr.org/interactive/cyber-operations/darkhotel",
"https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians",
"https://attack.mitre.org/groups/G0012/",
"http://www.secureworks.com/research/threat-profiles/tungsten-bridge",
"https://www.secureworks.com/research/threat-profiles/tungsten-bridge",
"https://www.antiy.cn/research/notice&report/research_report/20200522.html"
],
"synonyms": [
@ -511,7 +511,7 @@
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-17",
"https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/",
@ -649,7 +649,6 @@
"https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
"https://www.cfr.org/interactive/cyber-operations/axiom",
"https://securelist.com/games-are-over/70991/",
"https://vsec.com.vn/en/blogen/initial-winnti-analysis-against-vietnam-game-company.html",
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
"https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
"https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/",
@ -736,7 +735,7 @@
"country": "CN",
"refs": [
"http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf",
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf",
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
"https://www.cfr.org/interactive/cyber-operations/deep-panda",
"https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/",
"https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/",
@ -1047,7 +1046,7 @@
"country": "CN",
"refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
"https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
"https://www.cfr.org/interactive/cyber-operations/iron-tiger"
@ -1133,7 +1132,7 @@
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
"https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018",
"https://attack.mitre.org/groups/G0045/",
"http://www.secureworks.com/research/threat-profiles/bronze-riverside"
"https://www.secureworks.com/research/threat-profiles/bronze-riverside"
],
"synonyms": [
"APT10",
@ -1266,7 +1265,7 @@
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/",
"https://attack.mitre.org/groups/G0004/",
"http://www.secureworks.com/research/threat-profiles/bronze-palace"
"https://www.secureworks.com/research/threat-profiles/bronze-palace"
],
"synonyms": [
"Vixen Panda",
@ -1467,7 +1466,7 @@
"refs": [
"https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
"http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf",
"http://www.secureworks.com/research/threat-profiles/bronze-woodland"
"https://www.secureworks.com/research/threat-profiles/bronze-woodland"
],
"synonyms": [
"BRONZE WOODLAND",
@ -1633,7 +1632,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761",
@ -2019,7 +2018,7 @@
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
"https://www.brighttalk.com/webcast/10703/275683",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
"http://www.secureworks.com/research/threat-profiles/cobalt-trinity"
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity"
],
"synonyms": [
"APT 33",
@ -2511,7 +2510,7 @@
"https://www.cfr.org/interactive/cyber-operations/dukes",
"https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
"https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
"http://www.secureworks.com/research/threat-profiles/iron-hemlock"
"https://www.secureworks.com/research/threat-profiles/iron-hemlock"
],
"synonyms": [
"Dukes",
@ -2604,7 +2603,7 @@
"https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
"https://attack.mitre.org/groups/G0010/",
"http://www.secureworks.com/research/threat-profiles/iron-hunter"
"https://www.secureworks.com/research/threat-profiles/iron-hunter"
],
"synonyms": [
"Turla",
@ -2859,7 +2858,7 @@
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
"https://attack.mitre.org/groups/G0046/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"http://www.secureworks.com/research/threat-profiles/gold-niagara"
"https://www.secureworks.com/research/threat-profiles/gold-niagara"
],
"synonyms": [
"Carbanak",
@ -3008,7 +3007,7 @@
"attribution-confidence": "50",
"country": "RU",
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd",
@ -3019,7 +3018,7 @@
"attribution-confidence": "50",
"country": "KP",
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
],
"synonyms": [
"OperationTroy",
@ -3117,7 +3116,7 @@
"https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
"https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
"http://www.secureworks.com/research/threat-profiles/nickel-gladstone"
"https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
],
"synonyms": [
"Operation DarkSeoul",
@ -3184,7 +3183,7 @@
"attribution-confidence": "50",
"country": "IN",
"refs": [
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
"https://kung_foo.keybase.pub/papers_and_presentations/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
],
"synonyms": [
"Appin",
@ -3251,8 +3250,8 @@
"refs": [
"https://securelist.com/blog/research/69114/animals-in-the-apt-farm/",
"https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france",
"http://www.cyphort.com/evilbunny-malware-instrumented-lua/",
"http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/",
"https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/",
"https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/",
"https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope",
"https://www.cfr.org/interactive/cyber-operations/snowglobe",
"https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/"
@ -3303,7 +3302,7 @@
"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
"https://s.tencent.com/research/report/669.html",
"https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html",
"http://www.secureworks.com/research/threat-profiles/copper-fieldstone"
"https://www.secureworks.com/research/threat-profiles/copper-fieldstone"
],
"synonyms": [
"C-Major",
@ -3436,7 +3435,7 @@
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
"https://securelist.com/the-dropping-elephant-actor/75328/",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"http://www.secureworks.com/research/threat-profiles/zinc-emerson"
"https://www.secureworks.com/research/threat-profiles/zinc-emerson"
],
"synonyms": [
"Chinastrats",
@ -3537,7 +3536,7 @@
"https://www.phnompenhpost.com/national/kingdom-targeted-new-malware",
"https://attack.mitre.org/groups/G0017/",
"https://attack.mitre.org/groups/G0002/",
"http://www.secureworks.com/research/threat-profiles/bronze-overbrook"
"https://www.secureworks.com/research/threat-profiles/bronze-overbrook"
],
"synonyms": [
"Moafee",
@ -3883,7 +3882,7 @@
"https://www.clearskysec.com/oilrig/",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
"https://attack.mitre.org/groups/G0049/",
"http://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
],
"synonyms": [
"Twisted Kitten",
@ -4029,7 +4028,6 @@
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
"http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks",
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/",
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/",
"https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website",
@ -4246,7 +4244,7 @@
"https://en.wikipedia.org/wiki/Stuxnet",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
"https://attack.mitre.org/groups/G0020/",
"http://www.secureworks.com/research/threat-profiles/platinum-terminal"
"https://www.secureworks.com/research/threat-profiles/platinum-terminal"
],
"synonyms": [
"Tilded Team",
@ -4514,7 +4512,7 @@
"https://github.com/eset/malware-research/tree/master/oceanlotus",
"https://www.cfr.org/interactive/cyber-operations/ocean-lotus",
"https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware",
"http://www.secureworks.com/research/threat-profiles/tin-woodlawn"
"https://www.secureworks.com/research/threat-profiles/tin-woodlawn"
],
"synonyms": [
"OceanLotus Group",
@ -4682,7 +4680,7 @@
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
"https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
"http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf",
"https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf",
"https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"https://attack.mitre.org/groups/G0061"
]
@ -4963,7 +4961,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf"
]
},
"uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c",
@ -5012,7 +5010,7 @@
"https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/",
"https://www.cfr.org/interactive/cyber-operations/mofang",
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
"http://www.secureworks.com/research/threat-profiles/bronze-walker"
"https://www.secureworks.com/research/threat-profiles/bronze-walker"
],
"synonyms": [
"Superman",
@ -5451,7 +5449,7 @@
{
"meta": {
"refs": [
"https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50",
@ -5514,7 +5512,7 @@
{
"meta": {
"refs": [
"https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "445c7b62-028b-455e-9d65-74899b7006a4",
@ -5592,7 +5590,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://en.hackdig.com/02/39538.htm"
"http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm"
]
},
"uuid": "110792e8-38d2-4df2-9ea3-08b60321e994",
@ -6242,7 +6240,7 @@
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
"https://attack.mitre.org/groups/G0027/",
"http://www.secureworks.com/research/threat-profiles/bronze-union"
"https://www.secureworks.com/research/threat-profiles/bronze-union"
],
"synonyms": [
"Emissary Panda",
@ -6558,7 +6556,7 @@
"https://www.cfr.org/interactive/cyber-operations/mustang-panda",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"http://www.secureworks.com/research/threat-profiles/bronze-president"
"https://www.secureworks.com/research/threat-profiles/bronze-president"
],
"synonyms": [
"BRONZE PRESIDENT",
@ -6910,7 +6908,7 @@
"https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
"https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/",
"https://krebsonsecurity.com/tag/dnspionage/",
"http://www.secureworks.com/research/threat-profiles/cobalt-edgewater"
"https://www.secureworks.com/research/threat-profiles/cobalt-edgewater"
],
"synonyms": [
"COBALT EDGEWATER"
@ -7019,7 +7017,7 @@
"https://threatpost.com/ta505-servhelper-malware/140792/",
"https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/",
"https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/",
"http://www.secureworks.com/research/threat-profiles/gold-tahoe"
"https://www.secureworks.com/research/threat-profiles/gold-tahoe"
],
"synonyms": [
"SectorJ04 Group",
@ -7055,7 +7053,7 @@
"https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/",
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
"http://www.secureworks.com/research/threat-profiles/gold-ulrick"
"https://www.secureworks.com/research/threat-profiles/gold-ulrick"
],
"synonyms": [
"TEMP.MixMaster"
@ -7071,7 +7069,7 @@
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service",
"http://www.secureworks.com/research/threat-profiles/gold-crestwood"
"https://www.secureworks.com/research/threat-profiles/gold-crestwood"
],
"synonyms": [
"TA542",
@ -7139,7 +7137,7 @@
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
"https://attack.mitre.org/groups/G0087/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"http://www.secureworks.com/research/threat-profiles/cobalt-hickman"
"https://www.secureworks.com/research/threat-profiles/cobalt-hickman"
],
"synonyms": [
"APT 39",
@ -7176,7 +7174,7 @@
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"http://www.secureworks.com/research/threat-profiles/gold-lowell"
"https://www.secureworks.com/research/threat-profiles/gold-lowell"
],
"synonyms": [
"GOLD LOWELL"
@ -7276,7 +7274,7 @@
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
"https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
"http://www.secureworks.com/research/threat-profiles/gold-swathmore"
"https://www.secureworks.com/research/threat-profiles/gold-swathmore"
],
"synonyms": [
"GOLD SWATHMORE"
@ -7408,7 +7406,7 @@
"https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities",
"https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff",
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian",
"http://www.secureworks.com/research/threat-profiles/cobalt-dickens"
"https://www.secureworks.com/research/threat-profiles/cobalt-dickens"
],
"synonyms": [
"COBALT DICKENS",
@ -7428,7 +7426,7 @@
"https://duo.com/decipher/apt-groups-moving-down-the-supply-chain",
"https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists",
"https:/twitter.com/bkMSFT/status/1201876664667582466",
"http://www.secureworks.com/research/threat-profiles/bronze-vinewood"
"https://www.secureworks.com/research/threat-profiles/bronze-vinewood"
],
"synonyms": [
"APT 31",
@ -7796,7 +7794,7 @@
"meta": {
"refs": [
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
"http://www.secureworks.com/research/threat-profiles/cobalt-lyceum"
"https://www.secureworks.com/research/threat-profiles/cobalt-lyceum"
],
"synonyms": [
"COBALT LYCEUM"
@ -7989,7 +7987,7 @@
"meta": {
"refs": [
"https://ti.360.net/blog/articles/analysis-of-apt-c-27/",
"http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf"
"https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf"
],
"since": "2014",
"synonyms": [
@ -8314,7 +8312,7 @@
"description": "COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers discovery of new C2 domains in 2019 suggest the group is still actively performing operations.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/cobalt-juno"
"https://www.secureworks.com/research/threat-profiles/cobalt-juno"
],
"synonyms": [
"APT-C-38 (QiAnXin)",
@ -8329,7 +8327,7 @@
"description": "COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/cobalt-katana"
"https://www.secureworks.com/research/threat-profiles/cobalt-katana"
],
"synonyms": [
"Hive0081 (IBM)",
@ -8341,5 +8339,5 @@
"value": "COBALT KATANA"
}
],
"version": 160
"version": 161
}