From 69a94b6c1e7aa8f5defea991f0b8a9c38ea1579e Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH] [threat-actors] Add UNC2659 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4ec3dc0..bba0fb6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13651,6 +13651,16 @@ }, "uuid": "f1d90b54-4821-41ff-8e07-ac650e0454b7", "value": "UNC2717" + }, + { + "description": "UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.", + "meta": { + "refs": [ + "http://internal-www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html" + ] + }, + "uuid": "697cb051-5315-4026-bf4c-553b49f817a9", + "value": "UNC2659" } ], "version": 295