Merge pull request #756 from r0ny123/microsoft-activity-group

Remove `Transperent Tribe` from microsoft-activity-group
2022-08-20 20:05:45 +02:00 · 2022-08-20 20:05:45 +02:00 · 8c09aeb1dd
parent 6b137ea12c 5b42a09dc2
commit 8c09aeb1dd
2 changed files with 20 additions and 33 deletions
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@ -205,38 +205,6 @@
      "uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d",
      "value": "ZIRCONIUM"
    },
-    {
-      "description": "This threat actor uses social engineering and spear phishing to target military and defense organizations in India, for the purpose of espionage.",
-      "meta": {
-        "cfr-suspected-state-sponsor": "Pakistan",
-        "cfr-suspected-victims": [
-          "India"
-        ],
-        "cfr-target-category": [
-          "Government",
-          "Private sector"
-        ],
-        "cfr-type-of-incident": "Espionage",
-        "refs": [
-          "https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
-        ],
-        "synonyms": [
-          "C-Major",
-          "Transparent Tribe"
-        ]
-      },
-      "related": [
-        {
-          "dest-uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "similar"
-        }
-      ],
-      "uuid": "2a410eea-a9da-11e8-b404-37b7060746c8",
-      "value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
-    },
    {
      "description": "Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.\nTo compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.\nThis activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.",
      "meta": {
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -9773,7 +9773,26 @@
      },
      "uuid": "e1e70539-8916-45c2-9b01-891c1c5bd8a1",
      "value": "TA558"
+    },
+    {
+      "description": "One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload.\n PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.\nThe group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.\nPARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.\nThe group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "42148074-196b-4f8c-b149-12163fc385fa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "uuid": "00edb40d-2fed-4d36-98b1-c85fc2bb1168",
+      "value": "PARINACOTA"
    }
  ],
-  "version": 242
+  "version": 243
 }