From c16108017526a40c50eb1e67d4280177cfb5169e Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 15 Apr 2020 21:36:48 +0530 Subject: [PATCH 1/9] Update threat-actor.json --- clusters/threat-actor.json | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4469057..41e4a55 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5770,7 +5770,14 @@ "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", - "https://attack.mitre.org/groups/G0065/" + "https://attack.mitre.org/groups/G0065/", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company", + "https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu", + "https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network", + "https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding", + "https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40" ], "synonyms": [ "TEMP.Periscope", @@ -5778,7 +5785,8 @@ "APT 40", "APT40", "BRONZE MOHAWK", - "GADOLINIUM" + "GADOLINIUM", + "Kryptonite Panda" ] }, "related": [ @@ -7134,17 +7142,6 @@ "uuid": "d7a41ada-6687-4a6b-8b5c-396808cdd758", "value": "Judgment Panda" }, - { - "description": "One of the first observed adopters of the 8.t exploit document builder in late 2017, further KRYPTONITE PANDA activity was limited in 2018. Last known activity for this adversary occurred in June 2018 and involved suspected targeting of Cambodia.", - "meta": { - "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" - ] - }, - "uuid": "393ebaad-4f05-4b35-bd31-45ac4ae7472d", - "value": "Kryptonite Panda" - }, { "description": "In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.", "meta": { @@ -7395,10 +7392,13 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [ - "CIRCUIT PANDA" + "CIRCUIT PANDA", + "Temp.Overboard", + "HUAPI" ] }, "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", From d6bf42254fb0ccfd1f1cc26bf9c0289455a18a6b Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 18 Apr 2020 13:22:25 +0530 Subject: [PATCH 2/9] Merging APT23 & Tropic Trooper --- clusters/threat-actor.json | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 41e4a55..499845a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -608,26 +608,6 @@ "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", "value": "Wekby" }, - { - "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", - "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", - "https://blog.lookout.com/titan-mobile-threat", - "https://attack.mitre.org/groups/G0081/" - ], - "synonyms": [ - "Operation Tropic Trooper", - "Operation TropicTrooper", - "TropicTrooper" - ] - }, - "uuid": "4fd409a9-db86-46a5-bdf2-b6c8ee397a89", - "value": "Tropic Trooper" - }, { "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'", "meta": { @@ -1668,18 +1648,27 @@ "value": "Temper Panda" }, { + "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://blog.lookout.com/titan-mobile-threat", + "https://attack.mitre.org/groups/G0081/" ], "synonyms": [ "APT23", "APT 23", - "KeyBoy" + "KeyBoy", + "TropicTrooper", + "Tropic Trooper" ] }, "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", From 0aa34187e912df62b1cbd2944ce35edc02a7f613 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 19 Apr 2020 11:29:36 +0530 Subject: [PATCH 3/9] add link --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 499845a..59ecb2d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6794,7 +6794,8 @@ "description": "Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.", "meta": { "refs": [ - "http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html" + "http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html", + "https://cybaze.it/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf" ], "synonyms": [ "Operation EvilTraffic" From 42a48208238f51a6b2741f4813745a72c15790a4 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 19 Apr 2020 11:45:45 +0530 Subject: [PATCH 4/9] dead link --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 59ecb2d..8e0af57 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -118,7 +118,6 @@ "country": "CN", "refs": [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", - "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf", "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html", "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" From 573b4807eeb8e474721132ed9c93711a23cbea35 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 19 Apr 2020 16:03:21 +0530 Subject: [PATCH 5/9] fix broken links --- clusters/threat-actor.json | 48 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8e0af57..4ce3a2b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -50,7 +50,7 @@ "https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf", - "https://www.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://attack.mitre.org/groups/G0006/", "https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html" ], @@ -100,7 +100,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", "https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/" ], @@ -159,7 +159,7 @@ "meta": { "refs": [ "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", - "https://www.symantec.com/connect/blogs/inside-back-door-attack", + "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", "https://attack.mitre.org/groups/G0031/" ] }, @@ -335,7 +335,7 @@ "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://www.cfr.org/interactive/cyber-operations/apt-3" ], "synonyms": [ @@ -503,11 +503,11 @@ "country": "CN", "refs": [ "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://www.cfr.org/interactive/cyber-operations/apt-17", "https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/", - "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", - "https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire", + "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", + "https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire", "https://www.recordedfuture.com/hidden-lynx-analysis/" ], "synonyms": [ @@ -739,7 +739,7 @@ "https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/", "https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695", "https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf", "https://attack.mitre.org/groups/G0009/" ], "synonyms": [ @@ -1469,7 +1469,7 @@ "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/sneaky-panda", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf", "https://attack.mitre.org/groups/G0066/" ], "synonyms": [ @@ -1982,7 +1982,7 @@ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", "https://www.brighttalk.com/webcast/10703/275683", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "synonyms": [ "APT 33", @@ -2060,7 +2060,7 @@ "http://www.clearskysec.com/thamar-reservoir/", "https://citizenlab.ca/2015/08/iran_two_factor_phishing/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", - "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://en.wikipedia.org/wiki/Rocket_Kitten", "https://www.cfr.org/interactive/cyber-operations/rocket-kitten" @@ -2365,7 +2365,7 @@ "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", - "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", @@ -2552,7 +2552,7 @@ "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", @@ -2629,7 +2629,7 @@ "country": "RU", "refs": [ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", "https://www.cfr.org/interactive/cyber-operations/crouching-yeti", @@ -2637,7 +2637,7 @@ "https://dragos.com/wp-content/uploads/CrashOverride-01.pdf", "https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html", "https://www.riskiq.com/blog/labs/energetic-bear/", - "https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", "https://attack.mitre.org/groups/G0035/", @@ -2694,7 +2694,7 @@ "https://www.us-cert.gov/ncas/alerts/TA17-163A", "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", "https://www.cfr.org/interactive/cyber-operations/black-energy", - "https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", + "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", "https://attack.mitre.org/groups/G0034/" @@ -2796,7 +2796,7 @@ "https://en.wikipedia.org/wiki/Carbanak", "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/", @@ -2894,7 +2894,7 @@ "refs": [ "https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", - "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware", "https://www.kaspersky.com/blog/financial-trojans-2019/25690/", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", @@ -3041,10 +3041,10 @@ "https://content.fireeye.com/apt/rpt-apt38", "https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/", "https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack", - "https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise", + "https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise", "https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html", - "https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov", - "https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war", + "https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov", + "https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/", "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", @@ -3061,11 +3061,11 @@ "https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c", "https://attack.mitre.org/groups/G0032/", "https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/", - "https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105", "https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD", - "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", - "https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", + "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", "https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0", "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", From 7ac2648dbce28effb244b57249d892ea58687e24 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 19 Apr 2020 23:00:42 +0530 Subject: [PATCH 6/9] more fix --- clusters/threat-actor.json | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4ce3a2b..d65fb71 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3378,7 +3378,7 @@ "cfr-type-of-incident": "Espionage", "country": "IN", "refs": [ - "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", "https://www.cymmetria.com/patchwork-targeted-attack/", "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", @@ -3584,7 +3584,7 @@ "refs": [ "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/", "https://www.cfr.org/interactive/cyber-operations/project-sauron", - "https://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf", "https://attack.mitre.org/groups/G0041/" ], @@ -3715,8 +3715,8 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", - "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://attack.mitre.org/groups/G0039/" ] }, @@ -3824,9 +3824,9 @@ "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json", "https://www.cfr.org/interactive/cyber-operations/oilrig", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", - "https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", - "https://www.symantec.com/connect/blogs/shamoon-attacks", - "https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", + "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.clearskysec.com/oilrig/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/", "https://attack.mitre.org/groups/G0049/" @@ -4086,7 +4086,7 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ] }, "uuid": "03f13462-003c-4296-8784-bccea16710a9", @@ -4098,8 +4098,7 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", - "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" ] }, "uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3", @@ -4229,7 +4228,7 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/", "https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/", "https://www.clearskysec.com/greenbug/" @@ -4408,7 +4407,7 @@ "cfr-type-of-incident": "Espionage", "country": "US", "refs": [ - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/", "https://www.cfr.org/interactive/cyber-operations/longhorn", "http://blogs.360.cn/post/APT-C-39_CIA_EN.html" @@ -4615,7 +4614,7 @@ "meta": { "refs": [ "https://dragos.com/blog/20180802Raspite.html", - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://attack.mitre.org/groups/G0077/" ], "since": "2017", @@ -5061,7 +5060,7 @@ "https://www.cfr.org/interactive/cyber-operations/madi", "https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east", "https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/", - "https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns" + "https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns" ] }, "uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2", @@ -6415,7 +6414,10 @@ "cfr-type-of-incident": "Espionage", "refs": [ "https://www.cfr.org/interactive/cyber-operations/inception-framework", - "https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit", + "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf", + "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf" "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", @@ -7469,7 +7471,7 @@ "description": "A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP).\nThe vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.", "meta": { "refs": [ - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf", + "https://vx-underground.org/papers/luckycat-hackers-12-en.pdf", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf" ] }, From ddfa28067231327c8b2b7a0147c1a0174e1b9a58 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 19 Apr 2020 23:06:57 +0530 Subject: [PATCH 7/9] Update threat-actor.json --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d65fb71..0863f75 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6417,7 +6417,7 @@ "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf", "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf", "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", From aa34775390ef947fafeb92c132ee0734a04c1abd Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 19 Apr 2020 23:17:44 +0530 Subject: [PATCH 8/9] typo thanks to @patricksvgr --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0863f75..30c2ee7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3067,7 +3067,7 @@ "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", "https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/", - "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", "https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret", "https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/", From 974ece3a7ce2399253e426de968cf3410148cff9 Mon Sep 17 00:00:00 2001 From: "pnx@pyrite" Date: Mon, 20 Apr 2020 14:20:22 +0200 Subject: [PATCH 9/9] adding FIN1 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 30c2ee7..c8117b7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7406,6 +7406,16 @@ "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", "value": "FIN5" }, + { + "description": "FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developer(s), and used this malware to access the victim environment and steal cardholder data. FIN1, which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools, is known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" + ] + }, + "uuid": "13289552-596e-4592-9c81-eeb4db6baf3c", + "value": "FIN1" + }, { "description": "FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.", "meta": {