From 0ca98cd054b2cea51db158307cfee8272710dbf3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 30 Jan 2024 10:32:26 -0800 Subject: [PATCH 1/3] [threat-actors] Add Blackwood --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 09c327c..31ea079 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14113,6 +14113,18 @@ }, "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb", "value": "Cotton Sandstorm" + }, + { + "description": "Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/", + "https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/" + ] + }, + "uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566", + "value": "Blackwood" } ], "version": 297 From 5aa3b622441cc9a6ed291853ac8b41ba7d6dd70d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 30 Jan 2024 10:32:26 -0800 Subject: [PATCH 2/3] [threat-actors] Add UTA0178 aliases --- clusters/threat-actor.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 31ea079..2b2101f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14035,7 +14035,14 @@ "meta": { "country": "CN", "refs": [ - "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" + "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/", + "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", + "https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/", + "https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/" + ], + "synonyms": [ + "UNC5221" ] }, "uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3", From 85f22c7d2e0362b9ea47c6544885f544ee809edc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 30 Jan 2024 10:32:27 -0800 Subject: [PATCH 3/3] [threat-actors] Add UNC2452 aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2b2101f..c1872bb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9253,13 +9253,16 @@ "https://github.com/fireeye/sunburst_countermeasures", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html", - "https://unit42.paloaltonetworks.com/atoms/solarphoenix/" + "https://unit42.paloaltonetworks.com/atoms/solarphoenix/", + "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", + "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/" ], "synonyms": [ "DarkHalo", "StellarParticle", "NOBELIUM", - "Solar Phoenix" + "Solar Phoenix", + "Midnight Blizzard" ] }, "related": [