MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #922 from Mathieu4141/threat-actors/133b2e2d-4948-4361-a9c5-d1798d1b7f4e 

[threat actors] Add some missing Proofpoint aliases
pull/928/head
Alexandre Dulaunoy 2024-02-05 13:51:10 +01:00 committed by GitHub
parent ca366fc16a ffeed3447f
commit 9bd5c32a36
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 78 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
clusters/threat-actor.json
View File

@ -1035,7 +1035,8 @@
"https://unit42.paloaltonetworks.com/atoms/granite-taurus",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new"
],
"synonyms": [
"STONE PANDAD",
@ -1049,7 +1050,8 @@
"BRONZE RIVERSIDE",
"ATK41",
"G0045",
"Granite Taurus"
"Granite Taurus",
"TA429"
]
},
"related": [
@ -1945,7 +1947,8 @@
"COBALT TRINITY",
"G0064",
"ATK35",
"Peach Sandstorm"
"Peach Sandstorm",
"TA451"
],
"victimology": "Petrochemical, Aerospace, Saudi Arabia"
},
@ -3214,7 +3217,8 @@
"https://attack.mitre.org/groups/G0082",
"https://attack.mitre.org/groups/G0032",
"https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/",
"https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds"
"https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds",
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists"
],
"synonyms": [
"Operation DarkSeoul",
@ -3252,7 +3256,9 @@
"Diamond Sleet",
"ZINC",
"Sapphire Sleet",
"COPERNICIUM"
"COPERNICIUM",
"TA404",
"Lazarus group"
]
},
"related": [
@ -4022,7 +4028,8 @@
"G0049",
"Evasive Serpens",
"Hazel Sandstorm",
"EUROPIUM"
"EUROPIUM",
"TA452"
],
"targeted-sector": [
"Chemical",
@ -6200,7 +6207,8 @@
"https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/",
"https://attack.mitre.org/groups/G0069/",
"http://www.secureworks.com/research/threat-profiles/cobalt-ulster",
"https://unit42.paloaltonetworks.com/atoms/boggyserpens/"
"https://unit42.paloaltonetworks.com/atoms/boggyserpens/",
"https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/"
],
"synonyms": [
"TEMP.Zagros",
@ -6211,7 +6219,8 @@
"G0069",
"ATK51",
"Boggy Serpens",
"Mango Sandstorm"
"Mango Sandstorm",
"TA450"
]
},
"related": [
@ -6957,7 +6966,10 @@
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html"
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html",
"https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader",
"https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european",
"https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/"
],
"synonyms": [
"BRONZE PRESIDENT",
@ -6965,7 +6977,10 @@
"Red Lich",
"TEMP.HEX",
"BASIN",
"Earth Preta"
"Earth Preta",
"TA416",
"Stately Taurus",
"LuminousMoth"
]
},
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
@ -7613,7 +7628,8 @@
"REMIX KITTEN",
"COBALT HICKMAN",
"G0087",
"Radio Serpens"
"Radio Serpens",
"TA454"
]
},
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
@ -7931,12 +7947,15 @@
"https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff",
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian",
"https://www.secureworks.com/research/threat-profiles/cobalt-dickens",
"https://community.riskiq.com/article/44eb0802"
"https://community.riskiq.com/article/44eb0802",
"https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect"
],
"synonyms": [
"COBALT DICKENS",
"Mabna Institute",
"TA407"
"TA407",
"TA4900",
"Yellow Nabu"
]
},
"uuid": "5059b44d-2753-4977-b987-4922f09afe6b",
@ -7971,14 +7990,17 @@
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists"
],
"synonyms": [
"ZIRCONIUM",
"JUDGMENT PANDA",
"BRONZE VINEWOOD",
"Red keres",
"Violet Typhoon"
"Violet Typhoon",
"TA412",
"Zirconium"
]
},
"related": [
@ -9161,10 +9183,16 @@
"refs": [
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
"https://securelist.com/deathstalker-mercenary-triumvirate/98177/",
"https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/"
"https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/",
"https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector"
],
"synonyms": [
"DeathStalker"
"DeathStalker",
"TA4563",
"EvilNum",
"Jointworm"
]
},
"uuid": "b6f3150f-2240-4c57-9dda-5144c5077058",
@ -14728,6 +14756,39 @@
},
"uuid": "2485a9cb-b41c-43bd-8b1c-c64e919c0a4e",
"value": "Storm-1575"
},
{
"description": "Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the users contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers. \n\n",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks"
]
},
"uuid": "e9de47f0-3e68-465c-b91e-7a2b7371955c",
"value": "TA2552"
},
{
"description": "TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread"
],
"synonyms": [
"Balikbayan Foxes"
]
},
"uuid": "625c3fb4-16fc-4992-9ff2-4fad869750ac",
"value": "TA2722"
},
{
"description": "In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay. ",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages"
]
},
"uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52",
"value": "TA2719"
}
],
"version": 298