MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'r0ny123-main' into main

pull/743/head
Alexandre Dulaunoy 2022-07-20 18:41:57 +02:00
parent a376b68ef8 b4ce9a9453
commit 9664433777
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 357 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

384
clusters/threat-actor.json
View File

@ -651,9 +651,7 @@
"Winnti Group",
"Suckfly",
"APT41",
"APT 41",
"Group72",
"Group 72",
"Blackfly",
"LEAD",
"WICKED SPIDER",
@ -897,7 +895,8 @@
"DRAGONFISH",
"BRONZE ELGIN",
"ATK1",
"G0030"
"G0030",
"Red Salamander"
]
},
"related": [
@ -957,7 +956,7 @@
"value": "Lotus Panda"
},
{
"description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDAs preferred initial vector of compromise and persistence is a China Chopper webshell a tiny and easily obfuscated 70 byte text file that consists of an eval() command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via net use and wmic commands executed through the webshell terminal.",
"description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell a tiny and easily obfuscated 70 byte text file that consists of an eval() command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via net use and wmic commands executed through the webshell terminal.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
@ -1409,7 +1408,9 @@
"synonyms": [
"IceFog",
"Dagger Panda",
"Trident"
"Trident",
"RedFoxtrot",
"Red Wendigo"
]
},
"uuid": "32c534b9-abec-4823-b223-a810f897b47b",
@ -1675,9 +1676,7 @@
],
"synonyms": [
"APT23",
"APT 23",
"KeyBoy",
"TropicTrooper",
"Tropic Trooper",
"BRONZE HOBART",
"G0081"
@ -2420,14 +2419,15 @@
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/",
"https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
"https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/",
"https://unit42.paloaltonetworks.com/atoms/fighting-ursa/"
"https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [
"APT 28",
"APT28",
"Pawn Storm",
"PawnStorm",
"Fancy Bear",
"FANCY BEAR",
"Sednit",
"SNAKEMACKEREL",
"TsarTeam",
@ -2602,7 +2602,8 @@
"https://attack.mitre.org/groups/G0010/",
"https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/",
"https://www.secureworks.com/research/threat-profiles/iron-hunter",
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [
"Turla",
@ -2746,14 +2747,15 @@
"https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/",
"https://attack.mitre.org/groups/G0034/"
"https://attack.mitre.org/groups/G0034/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [
"Sandworm Team",
"Black Energy",
"BlackEnergy",
"Quedagh",
"Voodoo Bear",
"VOODOO BEAR",
"TEMP.Noble",
"Iron Viking",
"G0034"
@ -4511,7 +4513,11 @@
"description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.",
"meta": {
"refs": [
"https://www.f-secure.com/documents/996508/1030745/callisto-group"
"https://www.f-secure.com/documents/996508/1030745/callisto-group",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [
"COLDRIVER"
]
},
"uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
@ -4883,7 +4889,7 @@
],
"synonyms": [
"CactusPete",
"Karma Panda",
"KARMA PANDA",
"BRONZE HUNTLEY"
]
},
@ -6329,8 +6335,12 @@
"description": "Recorded Futures Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.",
"meta": {
"refs": [
"https://www.recordedfuture.com/redalpha-cyber-campaigns/",
"https://www.recordedfuture.com/chinese-cyberespionage-operations",
"https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf"
],
"synonyms": [
"DeepCliff",
"Red Dev 3"
]
},
"uuid": "71a3b962-9a36-11e8-88f8-b31d20c6fa2a",
@ -6507,11 +6517,12 @@
"synonyms": [
"BRONZE PRESIDENT",
"HoneyMyte",
"Red Lich"
"Red Lich",
"TEMP.HEX"
]
},
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
"value": "Mustang Panda"
"value": "MUSTANG PANDA"
},
{
"description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
@ -7427,7 +7438,8 @@
"synonyms": [
"ZIRCONIUM",
"JUDGMENT PANDA",
"BRONZE VINEWOOD"
"BRONZE VINEWOOD",
"Red keres"
]
},
"uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c",
@ -7485,7 +7497,8 @@
"Palmerworm",
"G0098",
"T-APT-03",
"Manga Taurus"
"Manga Taurus",
"Red Djinn"
]
},
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
@ -7822,11 +7835,20 @@
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology"
"https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology",
"https://www.recordedfuture.com/china-linked-ta428-threat-group",
"https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
"https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop",
"https://blog.group-ib.com/task",
"https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op",
"https://www.youtube.com/watch?v=1WfPlgtfWnQ",
"https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf",
"https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
"https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf"
],
"synonyms": [
"Temp.Hex",
"Vicious Panda"
"Colourful Panda",
"BRONZE DUDLEY"
]
},
"uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d",
@ -7991,10 +8013,13 @@
"meta": {
"refs": [
"https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf"
],
"synonyms": [
"BRONZE MEDLEY"
]
},
"uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3",
"value": "Calypso group"
"value": "Calypso"
},
{
"description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).",
@ -8671,7 +8696,8 @@
"synonyms": [
"ATK233",
"G0125",
"Operation Exchange Marauder"
"Operation Exchange Marauder",
"Red Dev 13"
]
},
"uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",
@ -8708,7 +8734,8 @@
"https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html",
"https://twitter.com/hatr/status/1377220336597483520",
"https://www.mandiant.com/resources/unc1151-linked-to-belarus-government",
"https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers/"
"https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [
"UNC1151",
@ -9688,9 +9715,312 @@
"Money Libra"
]
},
"uuid": "bc6f3b91-5a28-46df-9778-179218c809fe",
"uuid": "4d522fad-452c-46be-94ea-5803aec9b709",
"value": "Kinsing"
},
{
"description": "According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.",
"meta": {
"cfr-suspected-victims": [
"China",
"United States",
"Hong Kong",
"Malaysia",
"Taiwan"
],
"cfr-target-category": [
"Gambling Websites",
"Information technology",
"Electronics Manufacturers",
"Education"
],
"country": "CN",
"refs": [
"https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
"https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
"https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
"https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt",
"https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt",
"https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt",
"https://www.youtube.com/watch?v=QXGO4RJaUPQ",
"https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf"
]
},
"uuid": "9d82077b-7e95-4b22-8762-3224797ff5f0",
"value": "Earth Berberoka"
},
{
"description": "Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated attacks.",
"meta": {
"cfr-suspected-victims": [
"Australia",
"China",
"France",
"Germany",
"Hong Kong",
"Japan",
"Mongolia",
"Nepal",
"Nigeria",
"Philippines",
"Taiwan",
"Thailand",
"United Arab Emirates",
"United States",
"Vietnam"
],
"cfr-target-category": [
"Gambling companies",
"Government Institutions",
"Education",
"Media and Entertainment",
"Pro-democracy and human rights political organizations",
"Telecommunications",
"Religious organization",
"Cryptocurrency",
"Medical",
"Covid-19 research organizations"
],
"country": "CN",
"refs": [
"https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
"https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E",
"https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf",
"https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html"
],
"synonyms": [
"CHROMIUM",
"ControlX",
"TAG-22",
"FISHMONGER",
"BRONZE UNIVERSITY",
"Red Dev 10"
]
},
"uuid": "39150b30-61af-4d9c-9682-1595e145f3c1",
"value": "Earth Lusca"
},
{
"description": "Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.",
"meta": {
"cfr-suspected-victims": [
"Hong Kong",
"Taiwan"
],
"cfr-target-category": [
"Government",
"Education"
],
"country": "CN",
"refs": [
"https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html"
]
},
"uuid": "c96e1329-cf7e-44ac-a3db-9e251dc98ec5",
"value": "Earth Wendigo"
},
{
"description": "In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that BRONZE EDGEWOOD also leverages Cobalt Strike in its intrusion activity. BRONZE EDGEWOOD has been active since at least 2018 and targets government and private enterprises across Southeast Asia. CTU researchers assess with moderate confidence that BRONZE EDGEWOOD operates on behalf the Chinese government and has a remit that covers political espionage.",
"meta": {
"cfr-suspected-victims": [
"Kyrgyzstan",
"Malaysia",
"Vietnam"
],
"country": "CN",
"refs": [
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
],
"synonyms": [
"Red Hariasa"
]
},
"uuid": "b4ce9385-eedf-4a71-803c-6d53a250d10b",
"value": "BRONZE EDGEWOOD"
},
{
"description": "APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.",
"meta": {
"cfr-suspected-victims": [
"United States"
],
"cfr-target-category": [
"Pharmaceuticals",
"Healthcare",
"Construction",
"Aerospace",
"Defense industrial base"
],
"country": "CN",
"refs": [
"https://www.mandiant.com/resources/apt-groups#apt19",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
],
"synonyms": [
"Red Pegasus"
]
},
"uuid": "7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5",
"value": "APT9"
},
{
"description": "BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file extension for data exfiltration. \nIn July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.",
"meta": {
"cfr-suspected-victims": [
"United States",
"Australia",
"Belgium",
"Germany",
"Japan",
"Lithuania",
"Netherlands",
"Spain",
"South Korea",
"Sweden",
"United Kingdom"
],
"cfr-target-category": [
"Information technology",
"Medical",
"Civil engineering",
"Business",
"Education",
"Gaming",
"Energy",
"Pharmaceuticals",
"Defense industrial base"
],
"country": "CN",
"refs": [
"https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion",
"https://www.justice.gov/opa/press-release/file/1295981/download",
"https://www.justice.gov/opa/press-release/file/1295986/download",
"https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name",
"https://twitter.com/MrDanPerez/status/1390285821786394624"
],
"synonyms": [
"UNC302"
]
},
"uuid": "8b77424e-18bc-4ea7-baa4-d87441978e20",
"value": "BRONZE SPRING"
},
{
"description": "BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. \nCTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.",
"meta": {
"country": "CN",
"refs": [
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation",
"https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility",
"https://twitter.com/cglyer/status/1480734487000453121"
],
"synonyms": [
"DEV-0401"
]
},
"uuid": "737c0207-1a1a-4480-86e7-b6a5066e1ee5",
"value": "BRONZE STARLIGHT"
},
{
"description": "BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China",
"meta": {
"cfr-suspected-victims": [
"Hong Kong",
"Malaysia",
"India",
"Taiwan"
],
"country": "CN",
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware",
"https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf",
"https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s"
],
"synonyms": [
"Evasive Panda"
]
},
"uuid": "62710572-e416-419d-bb1f-81ffc1ddc976",
"value": "BRONZE HIGHLAND"
},
{
"description": "In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally.\n\nBRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.",
"meta": {
"country": "CN",
"refs": [
"https://unit42.paloaltonetworks.com/solarstorm-supernova",
"https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis",
"https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group",
"https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112"
]
},
"uuid": "3f04dbbc-69bc-409b-82a1-6135f0b6a41c",
"value": "BRONZE SPIRAL"
},
{
"description": "BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017. The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications. CTU researchers assess BRONZE VAPOR's intent to be information theft, with operations focused on intellectual property (semiconductors) and personally identifiable information such as traveller records (aviation). Compromise of telecommunications companies can yield personally identifiable information and meta data on client communications such as Call Data Records (CDR).\n\nPrior to 2019 their operational focus, with some exceptions, revolved around targets in East Asia particularity Taiwan with it's thriving semiconductor industry. In 2021 details emerged in open source of attacks on at least one European semiconductor company believed to date back to 2017. In 2019 BRONZE VAPOR attacked one of more entities in the European airlines sector. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' themed lures, and deploys Cobalt Strike along with custom data exfiltration tools to target organizations. Post-intrusion activity involves living-of-the-land using legitimate tools and commands available within victim environment as well as using AceHash for credential harvesting, WATERCYCLE for data exfiltration and STOCKPIPE for proxying information through Microsoft Exchange servers over email.\n\nBRONZE VAPOR uses a set of tactics that, although not individually unique, when viewed in aggregate create a relatively distinct playbook. Intrusions begin with credential based attacks against an existing remote access solution (Citrix, VPN etc.) or B2B network access. Cobalt Strike is deployed into the environment and further access is then conducted via Cobalt Strike Beacon and other features of the platform. Sharphound is deployed to map out the victim's Active Directory infrastructure and and collect critical information about the domain including important account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actor also registers their own domains for command and control, often with a \"sync\" or \"update\" related theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word \"update\". Data is exfiltrated using WATERCYCLE to cloud based platforms such as OneDrive and GoogleDrive.",
"meta": {
"cfr-suspected-victims": [
"Taiwan"
],
"cfr-target-category": [
"Semiconductor Industry"
],
"country": "CN",
"refs": [
"https://www.secureworks.com/research/threat-profiles/bronze-vapor"
]
},
"uuid": "af12a336-bb68-41ff-866a-834cedc0b5fc",
"value": "BRONZE VAPOR"
},
{
"description": "Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. \nA closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.",
"meta": {
"cfr-suspected-victims": [
"Belarus",
"Russia",
"Mongolia",
"Ukraine"
],
"country": "CN",
"refs": [
"https://securelist.com/microcin-is-here/97353",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia",
"https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign",
"https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf"
]
},
"uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717",
"value": "Vicious Panda"
},
{
"description": "Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow. LootRAT has variants for Windows and Macintosh (reported in open source as Demsty), as well as an Android variant known as SpyDealer. Red Nue has also used another Windows backdoor known as WinDealer since at least 2019, when it deployed it to targets as part of a watering hole campaign on a Chinese news website for the Chinese diaspora community. Parts of Asia feature heavily in Red Nue's victimology.",
"meta": {
"country": "CN",
"refs": [
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf",
"https://blogs.jpcert.or.jp/en/2021/10/windealer.html",
"https://securelist.com/windealer-dealing-on-the-side/105946",
"https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware"
],
"synonyms": [
"LuoYu"
]
},
"uuid": "c73c8a76-1e44-44d6-b955-79f3a73582a1",
"value": "Red Nue"
}
],
"version": 234
"version": 235
}