From 15b5f4c881c7691696f7d35f72dec89190d2427f Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Mon, 30 Nov 2020 11:49:23 +0100 Subject: [PATCH 1/7] Update threat-actor.json APT27 --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index de38f56..23c5178 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6231,7 +6231,8 @@ "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://attack.mitre.org/groups/G0027/", - "https://www.secureworks.com/research/threat-profiles/bronze-union" + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/" ], "synonyms": [ "Emissary Panda", @@ -8498,5 +8499,5 @@ "value": "Operation Skeleton Key" } ], - "version": 190 + "version": 191 } From 2d885e2a224df260e6b8c51709a41bc4ee9606e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 30 Nov 2020 14:09:57 +0100 Subject: [PATCH 2/7] chg: Add PR to GH actions --- .github/workflows/nosetests.yml | 41 +++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/nosetests.yml diff --git a/.github/workflows/nosetests.yml b/.github/workflows/nosetests.yml new file mode 100644 index 0000000..4a9aa1a --- /dev/null +++ b/.github/workflows/nosetests.yml @@ -0,0 +1,41 @@ +name: Python application + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + + +jobs: + build: + + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.6, 3.7, 3.8, 3.9] + + steps: + + - uses: actions/checkout@v2 + + - name: Set up Python ${{matrix.python-version}} + uses: actions/setup-python@v2 + with: + python-version: ${{matrix.python-version}} + + - name: Initialize submodules + run: git submodule update --init --recursive + + - name: Install system dependencies + run: | + sudo apt install jq moreutils + + - name: Install Python dependencies + run: | + python -m pip install --upgrade jsonschema pytaxonomies + + - name: Test + run: | + ./validate_all.sh + pytaxonomies -l MANIFEST.json -a From 47830ca058b7217125d3842d36636464bed8ad78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 30 Nov 2020 14:22:14 +0100 Subject: [PATCH 3/7] chg: Fix gh actions --- .github/workflows/nosetests.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nosetests.yml b/.github/workflows/nosetests.yml index 4a9aa1a..bc5e96a 100644 --- a/.github/workflows/nosetests.yml +++ b/.github/workflows/nosetests.yml @@ -33,9 +33,20 @@ jobs: - name: Install Python dependencies run: | - python -m pip install --upgrade jsonschema pytaxonomies + python -m pip install poetry + + - name: Install testing via python module + run: | + git clone https://github.com/MISP/PyMISPGalaxies.git + pushd PyMISPGalaxies + git submodule update --init + git submodule foreach git pull origin main + poetry install + popd - name: Test run: | ./validate_all.sh - pytaxonomies -l MANIFEST.json -a + pushd PyMISPGalaxies + poetry run nosetests-3.4 --with-coverage --cover-package=pymispgalaxies -d + popd From 9be4a53f77bfb83a34ef582d86192a2085c4bf19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 30 Nov 2020 14:33:15 +0100 Subject: [PATCH 4/7] fix: reorganize GH actions --- .github/workflows/nosetests.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/nosetests.yml b/.github/workflows/nosetests.yml index bc5e96a..28463d0 100644 --- a/.github/workflows/nosetests.yml +++ b/.github/workflows/nosetests.yml @@ -28,12 +28,13 @@ jobs: run: git submodule update --init --recursive - name: Install system dependencies - run: | - sudo apt install jq moreutils + run: sudo apt install jq moreutils + + - name: Validate files + run: ./validate_all.sh - name: Install Python dependencies - run: | - python -m pip install poetry + run: python -m pip install poetry - name: Install testing via python module run: | @@ -44,9 +45,8 @@ jobs: poetry install popd - - name: Test + - name: Test with Python module run: | - ./validate_all.sh pushd PyMISPGalaxies poetry run nosetests-3.4 --with-coverage --cover-package=pymispgalaxies -d popd From b00ea1267785734a40b8750f0f2e78a1abae068f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 30 Nov 2020 15:50:17 +0100 Subject: [PATCH 5/7] chg: [doc] Travis is dead, GH Action is alive. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fc597f0..d6ebad3 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # misp-galaxy -[![Build Status](https://travis-ci.org/MISP/misp-galaxy.svg?branch=master)](https://travis-ci.org/MISP/misp-galaxy) +![Python application](https://github.com/MISP/misp-galaxy/workflows/Python%20application/badge.svg) MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There From 72e085aba92dfecbc304d01c0e92e6e9c0fe1f4e Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Wed, 2 Dec 2020 11:44:29 +0100 Subject: [PATCH 6/7] Update threat-actor.json OceanLotus --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 23c5178..dc55034 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4481,7 +4481,8 @@ "https://www.cfr.org/interactive/cyber-operations/ocean-lotus", "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", - "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/" + "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" ], "synonyms": [ "OceanLotus Group", @@ -8499,5 +8500,5 @@ "value": "Operation Skeleton Key" } ], - "version": 191 + "version": 192 } From 4fee985b5edd1e3fecf39919cd1119dca6fba504 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 3 Dec 2020 13:05:14 +0100 Subject: [PATCH 7/7] Update threat-actor.json Turla --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dc55034..c0d9975 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2564,7 +2564,8 @@ "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/", "https://attack.mitre.org/groups/G0010/", "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/", - "https://www.secureworks.com/research/threat-profiles/iron-hunter" + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" ], "synonyms": [ "Turla", @@ -8500,5 +8501,5 @@ "value": "Operation Skeleton Key" } ], - "version": 192 + "version": 193 }