From 300e3c2bfbda6ca93367d2e5e2bd06ea39721a49 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 26 Aug 2019 17:50:20 +0200 Subject: [PATCH 01/12] More clusters improved --- clusters/target-information.json | 286 ++++++++++++++++++++++++++++++- 1 file changed, 280 insertions(+), 6 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index c3165973..69521a3f 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -2154,7 +2154,7 @@ "currency": [ "$", "USD", - "United States dollara" + "United States dollar" ], "iso-code": [ "SV", @@ -2517,10 +2517,27 @@ "calling-code": [ "+241" ], + "capital": [ + "Libreville" + ], + "currency": [ + "Central African CFA franc", + "XAF" + ], "iso-code": [ "GA", "GAB" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Gabonese Republic", + "République gabonaise" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ga" }, "uuid": "8e70d742-c708-4a9e-8ab1-6a8a90306ccf", @@ -2531,10 +2548,28 @@ "calling-code": [ "+220" ], + "capital": [ + "Banjul" + ], + "currency": [ + "Dalasi", + "GMD" + ], "iso-code": [ "GM", "GMB" - ] + ], + "official-languages": [ + "English" + ], + "synomyms": [ + "The Gambia", + "Republic of The Gambia" + ], + "territory-type": [ + "Country" + ], + "top-level-domain": ".gm" }, "uuid": "2ded2689-16c3-4476-a2d8-04c4bc51ae4a", "value": "Gambia" @@ -2544,10 +2579,32 @@ "calling-code": [ "+995" ], + "capital": [ + "Tbilisi" + ], + "currency": [ + "Georgian lari", + "₾", + "GEL" + ], "iso-code": [ "GE", "GEO" ], + "official-languages": [ + "Georgian", + "Abkhazian" + ], + "synomyms": [ + "საქართველო", + "sakartvelo", + "Republic of Georgia", + "საქართველოს რესპუბლიკა", + "sakartvelos resp'ublik'a" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ge" }, "uuid": "76c2f2fe-ce68-4008-aa30-1ac8de38d617", @@ -2558,6 +2615,14 @@ "calling-code": [ "+49" ], + "capital": [ + "Berlin" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "DE", "DEU" @@ -2565,6 +2630,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "German" + ], + "synomyms": [ + "Deutschland", + "Federal Republic of Germany", + "Bundesrepublik Deutschland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".de" }, "uuid": "4121d334-39d0-49c4-8a0e-0442c6bdcbc4", @@ -2575,10 +2651,26 @@ "calling-code": [ "+233" ], + "capital": [ + "Accra" + ], + "currency": [ + "Ghanaian cedi", + "GHS" + ], "iso-code": [ "GH", "GHA" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Republic of Ghana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gh" }, "uuid": "6f7a0f04-8299-4a2d-95d0-a8305a1ae23e", @@ -2589,10 +2681,29 @@ "calling-code": [ "+350" ], + "capital": [ + "Gibraltar" + ], + "currency": [ + "Gibraltar pound", + "£", + "GIP" + ], "iso-code": [ "GI", "GIB" - ] + ], + "official-languages": [ + "English" + ], + "synomyms": [ + "جبل طارق", + "Jabal Ṭāriq" + ], + "territory-type": [ + "British Overseas Territory" + ], + "top-level-domain": ".gi" }, "uuid": "078a914d-7ef3-413b-8a62-2473b8db1c12", "value": "Gibraltar" @@ -2602,6 +2713,14 @@ "calling-code": [ "+30" ], + "capital": [ + "Athens" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "GR", "GRC" @@ -2609,6 +2728,19 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Greek" + ], + "synomyms": [ + "Hellas", + "Ελλάς", + "Hellenic Republic", + "Ελληνική Δημοκρατία", + "Ellinikí Dimokratía" + ], + "territory-type": [ + "sovereign state" + ], "top-level-domain": ".gr" }, "uuid": "505730f7-2637-4efb-845d-f1af7cdca109", @@ -2619,10 +2751,28 @@ "calling-code": [ "+299" ], + "capital": [ + "Nuuk" + ], + "currency": [ + "Danish krone", + "DKK" + ], "iso-code": [ "GL", "GRL" - ] + ], + "official-languages": [ + "Greenandic" + ], + "synomyms": [ + "Kalaallit Nunaat", + "Grønland" + ], + "territory-type": [ + "Country" + ], + "top-level-domain": ".gl" }, "uuid": "20f2c544-093d-4964-84ae-7d5fd54ad6d0", "value": "Greenland" @@ -2632,10 +2782,23 @@ "calling-code": [ "+1-473" ], + "capital": [ + "St. George's" + ], + "currency": [ + "East Caribbean dollar", + "XCD" + ], "iso-code": [ "GD", "GRD" ], + "official-languages": [ + "English" + ], + "territory-type": [ + "sovereign state" + ], "top-level-domain": ".gd" }, "uuid": "1aea4486-eef7-496b-9a69-a2d2bdbe7b77", @@ -2646,10 +2809,30 @@ "calling-code": [ "+1-671" ], + "capital": [ + "Hagåtña" + ], + "currency": [ + "$", + "USD", + "United States dollar" + ], "iso-code": [ "GU", "GUM" - ] + ], + "official-languages": [ + "English", + "Chamorro" + ], + "synomyms": [ + "Guåhån", + "Territory of Guam" + ], + "territory-type": [ + "Unincorporated organized territory" + ], + "top-level-domain": ".gu" }, "uuid": "4dc24d07-79ee-43b7-98a0-53bc79a29708", "value": "Guam" @@ -2659,10 +2842,27 @@ "calling-code": [ "+502" ], + "capital": [ + "Guatemala City" + ], + "currency": [ + "Quetzal", + "GTQ" + ], "iso-code": [ "GT", "GTM" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Guatemala", + "República de Guatemala" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gt" }, "uuid": "3e3e89d2-07f3-4ddc-addf-2d5cb05bedd1", @@ -2673,10 +2873,30 @@ "calling-code": [ "+44-1481" ], + "capital": [ + "St Peter Port" + ], + "currency": [ + "Guernsey Pound", + "Pound sterling", + "GGP", + "GBP" + ], "iso-code": [ "GG", "GGY" - ] + ], + "official-languages": [ + "English", + "French" + ], + "synomyms": [ + "Guernési" + ], + "territory-type": [ + "Jurisdiction" + ], + "top-level-domain": ".gg" }, "uuid": "dd42b40e-2740-46f5-9bb1-6d0799a081c7", "value": "Guernsey" @@ -2686,10 +2906,30 @@ "calling-code": [ "+224" ], + "capital": [ + "Conakry" + ], + "currency": [ + "Guinean franc", + "GNF" + ], "iso-code": [ "GN", "GIN" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Ginee", + "Guinée", + "Republic of Guinea", + "Renndaandi Ginee", + "République de Guinée (French)" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gn" }, "uuid": "f227edf8-e538-45b8-8a70-1a05ea5a605b", @@ -2700,10 +2940,28 @@ "calling-code": [ "+245" ], + "capital": [ + "Bisseau" + ], + "currency": [ + "West African CFA franc", + "XOF" + ], "iso-code": [ "GW", "GNB" ], + "official-languages": [ + "Portuguese" + ], + "synomyms": [ + "Guiné-Bissau", + "Republic of Guinea-Bissau", + "República da Guiné-Bissau" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gw" }, "uuid": "3b5824bc-936e-4403-bdc9-4dd9a7db36e3", @@ -2714,10 +2972,26 @@ "calling-code": [ "+592" ], + "capital": [ + "Georgetown" + ], + "currency": [ + "Guyanese dollar", + "GYD" + ], "iso-code": [ "GY", "GUY" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Co-operative Republic of Guyana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gy" }, "uuid": "cb9fbca4-6cc6-4f83-9ebc-4e975cddea69", From 9926ea88262d06a8155fb2756a53c487f282ba1f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Aug 2019 14:35:12 +0200 Subject: [PATCH 02/12] chg: [threat-actor] LYCEUM added - 443 #fixed --- clusters/threat-actor.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 31bdae97..a99c16d0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7642,6 +7642,15 @@ "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "value": "TA428" }, + { + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM", + "meta": { + "refs": [ + "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + ] + } + }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", "meta": { @@ -7688,5 +7697,5 @@ "value": "APT41" } ], - "version": 126 + "version": 128 } From 025cc937653e39150375ecb73436a89ac03d3c9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 28 Aug 2019 16:49:39 +0200 Subject: [PATCH 03/12] fix: Make tests happy --- clusters/threat-actor.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a99c16d0..f392bf3a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7643,13 +7643,13 @@ "value": "TA428" }, { - "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", - "value": "LYCEUM", "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" ] - } + }, + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM" }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", From 8d78a2a108c78173cb6c02f374b3ed7a1f2e8988 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 29 Aug 2019 08:31:10 +0200 Subject: [PATCH 04/12] chg: [threat-actor] jq all --- clusters/threat-actor.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d5a6142c..7250d68f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7644,13 +7644,13 @@ "value": "TA428" }, { - "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", - "value": "LYCEUM", "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" ] - } + }, + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM" }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", From 49f8f60a85d21f9518c5173002cd2697fa2b97e3 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 29 Aug 2019 13:13:00 +0200 Subject: [PATCH 05/12] Update threat-actor.json Add ITG08 as synonym for FIN6 --- clusters/threat-actor.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7250d68f..222569b0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3735,10 +3735,12 @@ "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://attack.mitre.org/groups/G0037/" + "https://attack.mitre.org/groups/G0037/", + "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" ], "synonyms": [ - "Skeleton Spider" + "Skeleton Spider", + "ITG08" ] }, "related": [ @@ -7698,5 +7700,5 @@ "value": "APT41" } ], - "version": 128 + "version": 129 } From c93103bba17c501a5cebe49b9646ccad1b8fe86e Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Fri, 30 Aug 2019 09:57:05 +0200 Subject: [PATCH 06/12] Add test for empty strings Should prevent MISP/misp-galaxy#438 --- .gitignore | 1 + tools/__init__.py | 0 tools/chk_dup.py | 33 ++++++++++++++++++++++++--------- tools/chk_empty_strings.py | 24 ++++++++++++++++++++++++ validate_all.sh | 3 +++ 5 files changed, 52 insertions(+), 9 deletions(-) create mode 100644 .gitignore create mode 100644 tools/__init__.py create mode 100755 tools/chk_empty_strings.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..bee8a64b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +__pycache__ diff --git a/tools/__init__.py b/tools/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/tools/chk_dup.py b/tools/chk_dup.py index 2ed2f897..9df3000e 100755 --- a/tools/chk_dup.py +++ b/tools/chk_dup.py @@ -8,9 +8,19 @@ import os import collections -def loadjsons(path): +def loadjsons(path, return_paths=False): """ - Find all Jsons and load them in a dict + Find all Jsons and load them in a dict + + Parameters: + path: string + return_names: boolean, if the name of the file should be returned, + default: False + + Returns: + List of parsed file contents. + If return_paths is True, then every list item is a tuple of the + file name and the file content """ files = [] data = [] @@ -18,9 +28,14 @@ def loadjsons(path): if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'): files.append(name) for jfile in files: - data.append(json.load(open("%s/%s" % (path, jfile)))) + filepath = os.path.join(path, jfile) + if return_paths: + data.append((filepath, json.load(open(filepath)))) + else: + data.append(json.load(json.load(open(filepath)))) return data + if __name__ == '__main__': """ Iterate all name + synonyms @@ -33,19 +48,19 @@ if __name__ == '__main__': items = djson.get('values') for entry in items: name = entry.get('value').strip().lower() - counter[name]+=1 + counter[name] += 1 namespace.append([name, djson.get('name')]) try: for synonym in entry.get('meta').get('synonyms'): name = synonym.strip().lower() - counter[name]+=1 + counter[name] += 1 namespace.append([name, djson.get('name')]) except (AttributeError, TypeError): pass counter = dict(counter) for key, val in counter.items(): - if val>1: - print ("Warning duplicate %s" % key) + if val > 1: + print("Warning duplicate %s" % key) for item in namespace: - if item[0]==key: - print (item) + if item[0] == key: + print(item) diff --git a/tools/chk_empty_strings.py b/tools/chk_empty_strings.py new file mode 100755 index 00000000..1ccac243 --- /dev/null +++ b/tools/chk_empty_strings.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python3 +# coding=utf-8 +""" + Tools to find empty string entries in galaxies +""" +from .chk_dup import loadjsons +import sys + + +if __name__ == '__main__': + jsons = loadjsons("clusters", return_paths=True) + retval = 0 + for clustername, djson in jsons: + items = djson.get('values') + for entry in items: + name = entry.get('value') + for key, value in entry.get('meta', {}).items(): + if isinstance(value, list): + if '' in value: + retval = 1 + print("Empty string found in Cluster %r: values/%s/meta/%s" + "" % (clustername, name, key), + file=sys.stderr) + sys.exit(retval) diff --git a/validate_all.sh b/validate_all.sh index 7d1a8423..f797c553 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -84,3 +84,6 @@ do fi echo '' done + +# check for empyt strings in clusters +python3 -m tools.chk_empty_strings From e13087a9c4d92021edef20017ed70ef8f3057014 Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Fri, 30 Aug 2019 10:05:29 +0200 Subject: [PATCH 07/12] target-information: fix territory-type for China --- clusters/target-information.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index c3165973..8bcc969e 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -1493,7 +1493,7 @@ "Zhōnghuá Rénmín Gònghéguó" ], "territory-type": [ - "" + "Country" ] }, "uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6", From f5056ff02e8e08947a76839824d78a5959f7a266 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 30 Aug 2019 11:03:30 +0200 Subject: [PATCH 08/12] chg: [threat-actor] add machete-apt synonyms as reported in #445 --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7250d68f..cf48517b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4675,7 +4675,8 @@ "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" ], "synonyms": [ - "Machete" + "Machete", + "machete-apt" ] }, "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", @@ -7698,5 +7699,5 @@ "value": "APT41" } ], - "version": 128 + "version": 129 } From 5504c10e3d098d2260ac926a06661113d5b60bd7 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 30 Aug 2019 16:32:02 +0200 Subject: [PATCH 09/12] improve more clusters --- clusters/target-information.json | 270 ++++++++++++++++++++++++++++++- 1 file changed, 269 insertions(+), 1 deletion(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 69521a3f..a9ef9b1e 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -3002,10 +3002,33 @@ "calling-code": [ "+509" ], + "capital": [ + "Port-au-Prince" + ], + "currency": [ + "Haitian gourde", + "G", + "HTG" + ], "iso-code": [ "HT", "HTI" ], + "official-languages": [ + "French", + "Haitian Creole" + ], + "synomyms": [ + "Haïti", + "Ayiti", + "Republic of Haiti", + "République d'Haïti", + "Repiblik Ayiti", + "Hayti" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ht" }, "uuid": "595dd000-64ac-43b5-be17-0f52eff47459", @@ -3016,10 +3039,27 @@ "calling-code": [ "+504" ], + "capital": [ + "Tegucigalpa" + ], + "currency": [ + "Lempira", + "HNL" + ], "iso-code": [ "HN", "HND" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Honduras", + "República de Honduras" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".hn" }, "uuid": "74a66006-ce2b-4280-abd1-e6f14ff9b926", @@ -3030,10 +3070,25 @@ "calling-code": [ "+852" ], + "currency": [ + "Hong Kong dollar", + "HK$", + "HKD" + ], "iso-code": [ "HK", "HKG" ], + "official-languages": [ + "Chinese", + "English" + ], + "synomyms": [ + "Hong Kong Special Administrative Region of the People's Republic of China" + ], + "territory-type": [ + "special administrative region" + ], "top-level-domain": ".hk" }, "uuid": "51c8ffc5-5453-4bf8-b100-74186d9a0de0", @@ -3044,6 +3099,13 @@ "calling-code": [ "+36" ], + "capital": [ + "Budapest" + ], + "currency": [ + "Forint", + "HUF" + ], "iso-code": [ "HU", "HUN" @@ -3051,6 +3113,15 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Hungarian" + ], + "synomyms": [ + "Magyarország" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".hu" }, "uuid": "adc52cee-5668-498d-8111-db1c38a584c5", @@ -3061,6 +3132,13 @@ "calling-code": [ "+354" ], + "capital": [ + "Reykjavík" + ], + "currency": [ + "Icelandic króna", + "ISK" + ], "iso-code": [ "IS", "ISL" @@ -3068,6 +3146,15 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Icelandic" + ], + "synomyms": [ + "Ísland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".is" }, "uuid": "5bcfbed4-d9af-40ab-bcbd-013cad252570", @@ -3078,10 +3165,29 @@ "calling-code": [ "+91" ], + "capital": [ + "New Delhi" + ], + "currency": [ + "Indian rupee", + "₹", + "INR" + ], "iso-code": [ "IN", "IND" ], + "official-languages": [ + "Hindi", + "English" + ], + "synomyms": [ + "Republic of India", + "Bhārat Gaṇarājya" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".in" }, "uuid": "283a7b58-9fa6-48c8-95bc-9ece77b5b2ea", @@ -3092,10 +3198,28 @@ "calling-code": [ "+62" ], + "capital": [ + "Jakarta" + ], + "currency": [ + "Indonesian rupiah", + "Rp", + "IDR" + ], "iso-code": [ "ID", "IDN" ], + "official-languages": [ + "Indonesian" + ], + "synomyms": [ + "Republic of Indonesia", + "Republik Indonesia" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".id" }, "uuid": "417b5c63-a388-45d1-b104-cede98b13fe0", @@ -3106,10 +3230,30 @@ "calling-code": [ "+98" ], + "capital": [ + "Tehran" + ], + "currency": [ + "Rial", + "ریال", + "IRR" + ], "iso-code": [ "IR", "IRN" ], + "official-languages": [ + "Persian" + ], + "synomyms": [ + "Persia", + "Islamic Republic of Iran", + "جمهوری اسلامی ایران", + "Jomhuri-ye Eslāmi-ye Irān" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ir" }, "uuid": "12b32332-ead1-4f69-be61-69ab1ed27d01", @@ -3120,10 +3264,36 @@ "calling-code": [ "+964" ], + "capital": [ + "Baghdad" + ], + "currency": [ + "Iraqi dinar", + "IQD" + ], "iso-code": [ "IQ", "IRQ" ], + "official-languages": [ + "Arabic", + "Kurdish" + ], + "synomyms": [ + "العراق", + "al-'Irāq", + "عێراق‎", + "Êraq", + "Republic of Iraq", + "جمهورية العراق", + "کۆماری عێراق", + "کۆمارا ئێـراقێ", + "Jumhūrīyyat al-'Irāq", + "Komarî Êraq" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".iq" }, "uuid": "625f37bd-fe48-4791-ac1e-be8d069643a1", @@ -3134,10 +3304,29 @@ "calling-code": [ "+353" ], + "capital": [ + "Dublin" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "IE", "IRL" ], + "official-languages": [ + "Irish", + "English" + ], + "synomyms": [ + "Éire", + "Republic of Ireland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ie" }, "uuid": "b1243ef1-78f4-4e10-841d-bc61361f21f8", @@ -3148,10 +3337,32 @@ "calling-code": [ "+44-1624" ], + "capital": [ + "Douglas" + ], + "currency": [ + "Pound sterling", + "GBP", + "Manx pound", + "IMP" + ], "iso-code": [ "IM", "IMN" - ] + ], + "official-languages": [ + "English", + "Manx" + ], + "synomyms": [ + "Mannin", + "Ellan Vannin", + "Mann" + ], + "territory-type": [ + "Crown dependency" + ], + "top-level-domain": ".im" }, "uuid": "57855966-b290-47e2-b098-1d903f4163b8", "value": "Isle of Man" @@ -3161,10 +3372,29 @@ "calling-code": [ "+972" ], + "capital": [ + "Jerusalem" + ], + "currency": [ + "New shekel", + "₪", + "‎ILS" + ], "iso-code": [ "IL", "ISR" ], + "official-languages": [ + "Hebrew" + ], + "synomyms": [ + "יִשְׂרָאֵל", + "إِسْرَائِيل‎", + "State of Israel" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".il" }, "uuid": "3273414a-8331-44cc-b3f6-890bf2363607", @@ -3175,6 +3405,14 @@ "calling-code": [ "+39" ], + "capital": [ + "Rome" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "IT", "ITA" @@ -3182,6 +3420,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Italian" + ], + "synomyms": [ + "Italia", + "Italian Republic", + "Repubblica Italiana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".it" }, "uuid": "1bcc0b11-d906-40ea-910c-a1124c4d82bd", @@ -3192,10 +3441,29 @@ "calling-code": [ "+225" ], + "capital": [ + "Yamoussoukro", + "Abidjan" + ], + "currency": [ + "West African CFA franc", + "XOF" + ], "iso-code": [ "CI", "CIV" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Côte d'Ivoire", + "Republic of Côte d'Ivoire", + "République de Côte d'Ivoire" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ci" }, "uuid": "c1aac71f-b060-4816-9369-451df1550883", From e79310c8619a96c6f627f471310f356c1a7f7429 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 31 Aug 2019 21:08:50 +0200 Subject: [PATCH 10/12] Add Nemty Ransomware --- clusters/ransomware.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 144fcafc..bc65e8e4 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13472,7 +13472,19 @@ }, "uuid": "6cfa553a-1e1b-115a-401f-015d681470b1", "value": "GetCrypt" + }, + { + "description": "A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.", + "meta": { + "payment-method": "Bitcoin", + "price": "1000 $", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections" + ] + }, + "uuid": "6cfa554a-1e2b-115a-400f-014d671470b1", + "value": "Nemty" } ], - "version": 64 + "version": 65 } From f40b7dd132cb67153644b5856621e6fedfbdca5f Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Sun, 1 Sep 2019 15:46:36 +0200 Subject: [PATCH 11/12] 'SectorJ04 Group' as alias introduced by NSHC for TA505 Not explicitly mentioned in the blog post but it looks like we just got an alias for TA505... https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/ --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d0799c5..7a23f1e2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6914,7 +6914,11 @@ "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://threatpost.com/ta505-servhelper-malware/140792/", - "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/" + "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/" + ], + "synonyms": [ + "SectorJ04 Group" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7701,5 +7705,5 @@ "value": "APT41" } ], - "version": 129 + "version": 130 } From 28ec6962725a350e1ab082219a478cafc7e8740d Mon Sep 17 00:00:00 2001 From: rmkml Date: Sun, 1 Sep 2019 21:20:28 +0200 Subject: [PATCH 12/12] Add Buran Ransomware --- clusters/ransomware.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index bc65e8e4..1586fcd9 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13484,7 +13484,17 @@ }, "uuid": "6cfa554a-1e2b-115a-400f-014d671470b1", "value": "Nemty" + }, + { + "description": "Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.", + "meta": { + "refs": [ + "https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit" + ] + }, + "uuid": "6cfa554a-1e1b-114a-300f-013d671370b0", + "value": "Buran" } ], - "version": 65 + "version": 66 }