From 6fd584fa880d3c2976d9ef6ec4f2876c91c59a10 Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 20 Aug 2022 17:06:18 +0000 Subject: [PATCH 1/2] remove APT36/ Transpert Tribe from microsoft-activity-group.json cause we don't know any MSTIC name yet. --- clusters/microsoft-activity-group.json | 32 -------------------------- 1 file changed, 32 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 7f38304e..012e1bd8 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -205,38 +205,6 @@ "uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d", "value": "ZIRCONIUM" }, - { - "description": "This threat actor uses social engineering and spear phishing to target military and defense organizations in India, for the purpose of espionage.", - "meta": { - "cfr-suspected-state-sponsor": "Pakistan", - "cfr-suspected-victims": [ - "India" - ], - "cfr-target-category": [ - "Government", - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/mythic-leopard" - ], - "synonyms": [ - "C-Major", - "Transparent Tribe" - ] - }, - "related": [ - { - "dest-uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "2a410eea-a9da-11e8-b404-37b7060746c8", - "value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard" - }, { "description": "Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.\nTo compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.\nThis activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.", "meta": { From 5b42a09dc27c48ed3d775372c8e3f8417044c102 Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 20 Aug 2022 17:10:15 +0000 Subject: [PATCH 2/2] add PARINACOTA to threat-actor.json MSTIC names digital crime actors based on global volcanoes --- clusters/threat-actor.json | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 361c342a..6d435bd2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9773,7 +9773,26 @@ }, "uuid": "e1e70539-8916-45c2-9b01-891c1c5bd8a1", "value": "TA558" + }, + { + "description": "One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload.\n PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.\nThe group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.\nPARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.\nThe group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + ] + }, + "related": [ + { + "dest-uuid": "42148074-196b-4f8c-b149-12163fc385fa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "00edb40d-2fed-4d36-98b1-c85fc2bb1168", + "value": "PARINACOTA" } ], - "version": 242 + "version": 243 }