add Germany as target for several Threat actors

pull/952/head
Delta-Sierra 2024-03-21 16:00:31 +01:00
parent 5d8d0d294e
commit 7e715b63e7
2 changed files with 113 additions and 31 deletions

View File

@ -343,7 +343,8 @@
"description": "Threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
]
},
"related": [

View File

@ -1128,7 +1128,8 @@
"cfr-suspected-victims": [
"European Union",
"India",
"United Kingdom"
"United Kingdom",
"Germany"
],
"cfr-target-category": [
"Government"
@ -1148,7 +1149,8 @@
"https://www.secureworks.com/research/threat-profiles/bronze-palace",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi"
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"VIXEN PANDA",
@ -1164,7 +1166,8 @@
"NICKEL",
"G0004",
"Red Vulture",
"Nylon Typhoon"
"Nylon Typhoon",
"Mirage"
],
"targeted-sector": [
"Government, Administration"
@ -2393,7 +2396,8 @@
"https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/",
"https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"Pawn Storm",
@ -2480,7 +2484,8 @@
"Mexico",
"Turkey",
"Portugal",
"India"
"India",
"Germany"
],
"cfr-target-category": [
"Government",
@ -2516,7 +2521,8 @@
"TA421",
"Blue Kitsune",
"ITG11",
"BlueBravo"
"BlueBravo",
"Nobelium"
],
"targeted-sector": [
"Think Tanks",
@ -2625,7 +2631,8 @@
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf"
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"Snake",
@ -3222,7 +3229,8 @@
"https://attack.mitre.org/groups/G0032",
"https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/",
"https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds",
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists"
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"Operation DarkSeoul",
@ -3323,6 +3331,9 @@
"description": "VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organizations new attack activity, confirmed and exposed the gangs targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-victims": [
"Germany"
],
"country": "IN",
"refs": [
"https://github.com/jack8daniels2/threat-INTel/blob/master/2013/Unveiling-an-Indian-Cyberattack-Infrastructure-appendixes.pdf",
@ -3335,7 +3346,8 @@
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/",
"https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"OPERATION HANGOVER",
@ -4592,7 +4604,8 @@
"description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.",
"meta": {
"cfr-suspected-victims": [
"Ukraine"
"Ukraine",
"Germany"
],
"cfr-target-category": [
"Government"
@ -4617,7 +4630,8 @@
"https://cert.gov.ua/article/39386",
"https://cert.gov.ua/article/39086",
"https://cert.gov.ua/article/39138",
"https://cert.gov.ua/article/18365"
"https://cert.gov.ua/article/18365",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"ACTINIUM",
@ -5621,7 +5635,8 @@
"cfr-suspected-victims": [
"Ministry of Unification",
"Sejong Institute",
"Korea Institute for Defense Analyses"
"Korea Institute for Defense Analyses",
"Germany"
],
"cfr-target-category": [
"Government",
@ -5644,7 +5659,8 @@
"https://asec.ahnlab.com/en/57873/",
"https://asec.ahnlab.com/en/61082/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/",
"https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/"
"https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"Velvet Chollima",
@ -7020,7 +7036,8 @@
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States"
"United States",
"Germany"
],
"cfr-target-category": [
"Civil society"
@ -7039,7 +7056,8 @@
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html",
"https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader",
"https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european",
"https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/"
"https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"BRONZE PRESIDENT",
@ -7974,6 +7992,9 @@
{
"description": "This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"country": "TR",
"refs": [
"https://blog.talosintelligence.com/2019/04/seaturtle.html",
@ -7989,7 +8010,8 @@
"https://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline",
"https://www.mandiant.com/resources/blog/global-dns-hijacking-campaign-dns-record-manipulation-at-scale",
"https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Mercer-Rascagneres.pdf",
"https://www.youtube.com/watch?v=ws1k44ZhJ3g"
"https://www.youtube.com/watch?v=ws1k44ZhJ3g",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"COSMIC WOLF",
@ -9642,7 +9664,8 @@
"https://www.mandiant.com/resources/unc1151-linked-to-belarus-government",
"https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"UNC1151",
@ -10294,11 +10317,15 @@
{
"description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"country": "IN",
"refs": [
"https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf",
"https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"Bitter",
@ -11464,6 +11491,9 @@
{
"description": "ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"country": "RU",
"refs": [
"https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass",
@ -11471,7 +11501,8 @@
"https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html",
"https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/",
"https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection",
"https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html"
"https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"Storm-0978"
@ -12524,7 +12555,8 @@
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States"
"United States",
"Germany"
],
"cfr-target-category": [
"Government"
@ -12534,7 +12566,8 @@
"refs": [
"https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/",
"https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr",
"https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/"
"https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
]
},
"uuid": "5b30bcb8-4923-45cc-bc89-29651ca5d54e",
@ -12584,6 +12617,9 @@
{
"description": "Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"country": "RU",
"refs": [
"https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/",
@ -12592,7 +12628,8 @@
"https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability",
"https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/",
"https://cybersecuritynews.com/russian-hackers-xss-flaw/",
"https://www.recordedfuture.com/russia-aligned-tag-70-targets-european-government-and-military-mail"
"https://www.recordedfuture.com/russia-aligned-tag-70-targets-european-government-and-military-mail",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"UAC-0114",
@ -12670,9 +12707,13 @@
{
"description": "GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. Kaspersky believes the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server. They developed a collection of .NET malware tools known as Jackal.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"refs": [
"https://securelist.com/it-threat-evolution-q2-2023/110355/",
"https://securelist.com/goldenjackal-apt-group/109677/"
"https://securelist.com/goldenjackal-apt-group/109677/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
]
},
"uuid": "8e93e09a-734d-4b16-933f-9feb58f6ce7d",
@ -12741,10 +12782,18 @@
{
"description": "YoroTroopers main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States, based on Cisco Talos analysis. YoroTrooper was also observed compromising accounts from at least two international organizations: a critical European Union health care agency and the World Intellectual Property Organization. Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"country": "KZ",
"refs": [
"https://blog.talosintelligence.com/attributing-yorotrooper/",
"https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/"
"https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"Salted Earth",
"Sturgeon Fisher"
]
},
"uuid": "2031ae01-e962-4861-a224-0934af6cdd3a",
@ -12978,11 +13027,15 @@
{
"description": "SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"country": "CN",
"refs": [
"https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sharppanda-chinese-apt-group-targets-southeast-asian-government-active-iocs",
"https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/"
"https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
]
},
"uuid": "7133a722-088c-4d5a-b2e0-a1f9915f807d",
@ -14063,11 +14116,15 @@
{
"description": "UAC-0050 is a threat actor that has been active since 2020, targeting government agencies in Ukraine. They have been distributing the Remcos RAT malware through phishing campaigns, using tactics such as impersonating the Security Service of Ukraine and sending emails with malicious attachments. The group has also been linked to other hacking collectives, such as UAC-0096, and has previously used remote administration tools like Remote Utilities. The motive behind their attacks is likely espionage.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"refs": [
"https://cert.gov.ua/article/3931296",
"https://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/",
"https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/",
"https://cert.gov.ua/article/3804703"
"https://cert.gov.ua/article/3804703",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
]
},
"uuid": "e3ff56b6-2663-46bd-9e5c-017a350896d9",
@ -14317,6 +14374,9 @@
{
"description": "While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on any new system that was breached, and use these credentials to log into additional systems via RDP. Volexity observed the attacker obtaining credentials in a variety of ways.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"country": "CN",
"refs": [
"https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/",
@ -14324,10 +14384,12 @@
"https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day",
"https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/",
"https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/",
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"UNC5221"
"UNC5221",
"Red Dev 61"
]
},
"uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3",
@ -15005,9 +15067,16 @@
{
"description": "Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.",
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"refs": [
"https://securelist.com/apt-trends-report-q1-2020/96826/",
"https://securelist.com/apt-trends-report-q1-2022/106351/"
"https://securelist.com/apt-trends-report-q1-2022/106351/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
],
"synonyms": [
"Outrider Tiger"
]
},
"uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
@ -15324,7 +15393,19 @@
},
"uuid": "69a944ef-4962-432e-a1b9-575b646ee2ed",
"value": "R00tK1T"
},
{
"meta": {
"cfr-suspected-victims": [
"Germany"
],
"refs": [
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
]
},
"uuid": "da89d534-5be8-414b-832c-3e9d0d66b4e0",
"value": "Mirage Tiger"
}
],
"version": 302
"version": 303
}