MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'MISP:main' into main

pull/1013/head
th3r3d 2024-10-30 12:41:39 +01:00 committed by GitHub
parent f3c534a6d8 38f12d8ffb
commit a5d6e6672c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 6714 additions and 6585 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
[Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *28* elements
Category: *tool* - source: *Open Sources* - total: *29* elements
[[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -87,7 +87,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47
[Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy
Category: *tool* - source: *MISP Project* - total: *130* elements
Category: *tool* - source: *MISP Project* - total: *132* elements
[[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)]
@ -495,7 +495,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.
Category: *actor* - source: *MISP Project* - total: *37* elements
Category: *actor* - source: *MISP Project* - total: *46* elements
[[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)]
@ -503,7 +503,7 @@ Category: *actor* - source: *MISP Project* - total: *37* elements
[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project.
Category: *tool* - source: *Various* - total: *1804* elements
Category: *tool* - source: *Various* - total: *1809* elements
[[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@ -543,7 +543,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
[Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2964* elements
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2970* elements
[[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -607,7 +607,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *736* elements
Category: *actor* - source: *MISP Project* - total: *751* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -615,7 +615,7 @@ Category: *actor* - source: *MISP Project* - total: *736* elements
[Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster
Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *78* elements
Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *83* elements
[[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)]
@ -623,7 +623,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns
[Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *200* elements
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *206* elements
[[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)]
@ -631,7 +631,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group
[Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4309* elements
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4349* elements
[[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)]
@ -639,7 +639,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc
[Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1014* elements
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1053* elements
[[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)]

12
clusters/backdoor.json
View File

@ -488,7 +488,17 @@
],
"uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff",
"value": "TERRIBLETEA"
},
{
"description": "Merdoor is a fully-featured backdoor that appears to have been in existence since 2018.\nThe backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
]
},
"uuid": "8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4",
"value": "Merdoor"
}
],
"version": 19
"version": 20
}

24
clusters/botnet.json
View File

@ -2031,7 +2031,29 @@
},
"uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff",
"value": "Ztorg"
},
{
"meta": {
"refs": [
"https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router",
"https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd"
],
"synonyms": [
"7777"
]
},
"uuid": "3e027dad-9c0a-437e-9938-dd3cf13b0c22",
"value": "Quad7"
},
{
"meta": {
"refs": [
"https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router"
]
},
"uuid": "963d898f-dc48-409e-8069-aaa51ad6664c",
"value": "63256 botnet"
}
],
"version": 35
"version": 36
}

265
clusters/producer.json
View File

@ -448,7 +448,7 @@
"value": "BleepingComputer"
},
{
"description": "",
"description": "Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV[3] anti-virus engine",
"meta": {
"country": "US",
"refs": [
@ -663,7 +663,268 @@
},
"uuid": "e5964f36-7644-4f73-bdfd-f24d9e006656",
"value": "Avira"
},
{
"description": "Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California.",
"uuid": "a0a87034-b8ff-4991-9ae1-e650a43292ef",
"value": "Cloudflare"
},
{
"description": "Recorded Future, Inc. is an American privately held cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.recordedfuture.com/"
],
"product-type": [
"Digital Risk Protection",
"Threat Intelligence",
"Exposure Management",
"Threat Intelligence Feeds"
],
"products": [
"Threat Intelligence",
"Brand Intelligence",
"SecOps Intelligence",
"Vulnerability Intelligence",
"Third-Party Intelligence",
"Geopolitical Intelligence",
"Attack Surface Intelligence",
"Identity Intelligence",
"Payment Fraud Intelligence",
"Analyst On Demand"
],
"refs": [
"https://en.wikipedia.org/wiki/Recorded_Future",
"https://www.recordedfuture.com/resources"
],
"synonyms": [
"Recorded Future, Inc",
"Insikt Group"
]
},
"uuid": "ad7032df-0e9a-4ea9-b35c-c68ff854be80",
"value": "Recorded Future"
},
{
"description": "Cyble empowers organizations to take control of their cyber risks with AI-driven, cybersecurity platforms.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://cyble.com/"
],
"product-type": [
"Digital Risk Protection",
"Threat Intelligence",
"Exposure Management"
],
"products": [
"Cyble Vision",
"Cyble Hawk",
"AmIBreached",
"Odin",
"The Cyber Express"
],
"refs": [
"https://cyble.com/resources/",
"https://thecyberexpress.com/"
],
"synonyms": [
"The Cyber Express"
]
},
"uuid": "43e3e0a8-a12d-450a-8f2d-94915123549c",
"value": "Cyble"
},
{
"description": "CYFIRMA is a threat discovery and cyber-intelligence company with the worlds first platform that can deliver predictive cyber-intelligence",
"meta": {
"company-type": "Cyber Intelligence Provider",
"country": "SG",
"official-refs": [
"https://www.cyfirma.com/"
],
"product-type": [
"Threat Intelligence",
"Digital Risk Protection",
"Mobile App"
],
"products": [
"DeCYFIR",
"DeTCT",
"DeFNCE"
],
"refs": [
"https://www.cyfirma.com/research/",
"https://golden.com/wiki/CYFIRMA-K46ZYP8"
]
},
"uuid": "9d804c53-f307-421c-9f4d-41061c7eee62",
"value": "Cyfirma"
},
{
"description": "SentinelOne, Inc. is an American cybersecurity company listed on NYSE based in Mountain View, California.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.sentinelone.com/"
],
"product-type": [
"Endpoint Protection",
"Endpoint Detection Response",
"Deception Technology"
],
"products": [
"Singularity Platform",
"Singularity Identity",
"Singularity Hologram"
],
"refs": [
"https://www.sentinelone.com/labs/"
],
"synonyms": [
"Sentinel One"
]
},
"uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461",
"value": "SentinelOne"
},
{
"description": "Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.fortinet.com/"
],
"product-type": [
"Firewall",
"Application delivery controller",
"SOAR",
"Web application firewall / API security",
"Network security platform"
],
"products": [
"FortiADC",
"FortiAnalyzer",
"FortiAuthenticator",
"FortiCASB",
"FortiClient",
"FortiEDR",
"FortiCNP",
"FortiDDos",
"FortiDeceptor",
"FortiExtender",
"FortiGate",
"FortiIsolator",
"FortiMail",
"FortiManager",
"FortiNAC",
"FortiPAM",
"FortiSandbox",
"FortiSIEM",
"FortiSASE",
"FortiSOAR",
"FortiSwitch",
"FortiTester",
"FortiToken",
"FortiVoice",
"FortiWeb"
],
"refs": [
"https://en.wikipedia.org/wiki/Fortinet",
"https://www.fortinet.com/blog/threat-research"
]
},
"uuid": "bfafdca5-3171-4953-86ab-c74f44822fd3",
"value": "Fortinet"
},
{
"description": "Zscaler, Inc. (/ˈziːˌskeɪlər/) is an American cloud security company based in San Jose, California. The company offers cloud-based services to protect enterprise networks and data.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.zscaler.com/"
],
"product-type": [
"Secure Web Gateway",
"SASE",
"VPN",
"CASB",
"DLP"
],
"products": [
"Zscaler Internet Access",
"Zscaler Private Access",
"Zscaler Digital Experience",
"Zscaler Zero Trust Exchange"
],
"refs": [
"https://www.zscaler.com/blogs?type=security-research",
"https://en.wikipedia.org/wiki/Zscaler"
]
},
"uuid": "1427d7df-a9b8-4809-afe0-1180cfdd930d",
"value": "Zscaler"
},
{
"description": "Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"product-type": [
"SIEM",
"Observability",
"SOAR",
"UEBA"
],
"products": [
"Splunk Enterprise Security",
"Splunk ITSI",
"Splunk SOAR",
"Splunk Observability Cloud",
"Splunk UEBA"
],
"refs": [
"https://www.splunk.com/",
"https://www.splunk.com/en_us/blog/security.html",
"https://en.wikipedia.org/wiki/Splunk"
]
},
"uuid": "7acb73f9-83c8-4a1d-88e5-873bad8659fa",
"value": "Splunk"
},
{
"description": "Huntress Labs Incorporated operates as a security software solution provider. The Company provides managed threat detection and response services to uncover, address persistent footholds that prevent defenses. Huntress Labs serves customers in the United States.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.huntress.com/"
],
"product-type": [
"Managed Security",
"Endpoint Detection Response",
"Security Awareness Training"
],
"products": [
"Managed EDR",
"MDR for Microsoft 365",
"Security Awareness Training",
"Managed SIEM"
],
"refs": [
"https://www.huntress.com/",
"https://www.huntress.com/blog"
]
},
"uuid": "9bfc59a7-ab20-4ef0-8034-871956d4a9cc",
"value": "Huntress"
}
],
"version": 11
"version": 15
}

260
clusters/ransomware.json
View File

@ -1494,6 +1494,15 @@
"HavocCrypt Ransomware"
]
},
"related": [
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"value": "Havoc"
},
@ -14569,7 +14578,10 @@
],
"links": [
"http://ekbgzchl6x2ias37.onion",
"http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/"
"http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/",
"http://3ws3t4uo7fehnn4qpmadk3zjrxta5xlt3gsc5mx4sztrsy7ficuz5ayd.onion/",
"http://amnwxasjtjc6e42siac6t45mhbkgtycrx5krv7sf5festvqxmnchuayd.onion/",
"http://qahjimrublt35jlv4teesicrw6zhpwhkb6nhtonwxuqafmjhr7hax2id.onion/"
],
"refs": [
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
@ -16067,7 +16079,13 @@
"description": "Ransomware",
"meta": {
"links": [
"http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion"
"http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion",
"http://4qyjonpyksc52bc3fsgfgedssqgo4a6vlfsjknqnkncbyl4layqkqjid.onion/",
"http://eleav2eq3ioyiuevbyvqaz3vruwvpislphszo4cm7n56itbpnupxngyd.onion/",
"http://2cyxmof76rxeqze5snxxooqmhzjtcploqswxoxmenfayphumdhrtrzqd.onion/",
"http://rqqn25k3hgmfkh7ykjbmakjgidwweomr7cbpy6pfecpxs57r5iwzwtyd.onion/",
"http://mu6se7h7qfwuqclr4cc6zy7qevod6gyk37aq5vwnayrtbx3qqycx2fyd.onion/",
"http://urey23jtg6z7xx3tiybmc4sgcim7dawiz2abl6crpup2lfobf7yb5wyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/blackout"
@ -26489,7 +26507,19 @@
"links": [
"https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/",
"https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion",
"http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/"
"http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/",
"http://6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion/",
"http://r6qkk55wxvy2ziy47oyhptesucwdqqaip23uxregdgquq5oxxlpeecad.onion/",
"http://weqv4fxkacebqrjd3lmnss6lrmoxoyihtcc6kdc6mblbv62p5q6skgid.onion/",
"http://thesiliconroad1.top/",
"http://stuffstevenpeters4.top/",
"http://greenmotors5.top/",
"http://megatron3.top/",
"http://fmzipzpirdpfelbbvnfhoehqxbqg7s7efmgce6hpr5xdcmeazdmic2id.onion/",
"http://daulpxe3epdysjozaujz4sj7rytanp4suvdnebxkwdfcuzwxlslebvyd.onion/",
"http://databasebb3.top/",
"http://l6zxfn3u2s4bl4vt3nvpve6uibqn3he3tgwdpkeeplhwlfwy3ifbt5id.onion/",
"http://onlylegalstuff6.top/"
],
"ransomnotes": [
"Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]"
@ -26733,7 +26763,8 @@
],
"links": [
"http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion/",
"https://0mega.cc/"
"https://0mega.cc/",
"https://0mega.ws/"
],
"ransomnotes-filenames": [
"DECRYPT-FILES.txt"
@ -27640,7 +27671,8 @@
"http://lbbjmbkvw3yurmnazwkbj5muyvw5dd6y7hyxrus23y33qiqczclrnbyd.onion/",
"http://lbbpoq6d2jglpw7dxarr6oaakgnlxt5nmrza5ojlufsuffuzexajsuyd.onion/",
"http://lbbp2rsfcmg5durpwgs22wxrdngsa4wiwmc4xk6hgmuluy6bvbvvtlid.onion/",
"http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/"
"http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/",
"http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/ec_page3.php"
],
"refs": [
"https://threatpost.com/lockbit-ransomware-proliferates-globally/168746",
@ -28417,7 +28449,8 @@
"links": [
"https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion",
"https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login",
"https://huntersinternational.net"
"https://huntersinternational.net",
"http://huntersinternational.su"
],
"refs": [
"https://www.ransomlook.io/group/hunters"
@ -28524,7 +28557,8 @@
"meta": {
"links": [
"http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/",
"http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion"
"http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion",
"http://92.118.36.204/"
],
"refs": [
"https://www.ransomlook.io/group/8base"
@ -28551,7 +28585,19 @@
"description": "",
"meta": {
"links": [
"http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
"http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion",
"http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion",
"http://nz2ihtemh2zli2wc3bovzps55clanspsqx5htu2plolby45a7pk4d3qd.onion/",
"http://qjdremetxo2zpli32exwb5uct6cjljyj7v52d5thn7usmj5mlyxdojqd.onion/",
"http://yef4xoqj2jq554rqetf2ikmpdtewdlbnx5xrtjtjqaotvfw77ipb6pad.onion/",
"http://ptsfbwx5j7kyk5r6n6uz4faic43jtb55sbls7py5wztwbxkyvsikguid.onion/",
"http://ro4h37fieb6oyfrwoi5u5wpvaalnegsxzxnwzwzw43anxqmv6hjcsfyd.onion/",
"http://cyfafnmijhiqxxfhtofmn5lgk3w5ana6xzpc6gk5uvdfadqflvznpjyd.onion/",
"http://betrvom4agzebo27bt7o3hk35tvr7ppw3hrx5xx4ecvijwfsb4iufoyd.onion/",
"http://ybo3xr25btxs47nmwykoudoe23nyv6ftkcpjdo4gilfzww4djpurtgid.onion/",
"http://k6wtpxwq72gpeil5hqofae7yhbtxphbkyoe2g7rwmpx5sadc4sgsfvid.onion/",
"http://vm2rbvfkcqsx2xusltbxziwbsrunjegk6qeywf3bxpjlznq622s3iead.onion/",
"http://ng2gzceugc2df6hp6s7wtg7hpupw37vqkvamaydhagv2qbrswdqlq6ad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/black suit"
@ -28616,7 +28662,34 @@
{
"meta": {
"links": [
"http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion"
"http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion",
"http://ufvi7hpcawesdklmommeeq4iokhq2km4hay3dwh4rirth5xaomle35id.onion/",
"http://t7ogwvu74a6flssns55yv7zw2xvssqbhrdbxqrwbahumyzwklnvqayid.onion/",
"http://gmxnejtsg3uiwopmnsooxbi3p2nukwemkvm7bg44tgbbnuuuyofqjfyd.onion/",
"http://jtjz6utbmabwcatyomwxaeum7ey7nxs7yooqflxhctnksjqsnammonqd.onion/",
"http://2mhkqjcw4auxop7auchz2iijcbj63qccwodtokofbb2ul5oejkkt6xyd.onion/",
"http://wka7ma7rzgmzmtn65dhv5zp5p6e3uv5sydnns7xsf6kpf7noukhchhqd.onion/",
"http://l3yeoyhnphtymqua5env7qitedmqv5ahe7waxgndwa64z2c2h3cjjhqd.onion/",
"http://2j45tydxcvm44jbyr6krhx77rzey3jtif5qdjak2gik4usoljvvhqaid.onion/",
"http://cuft7z2xlfogrtx4ddqnjqyerye2qtagksow2fip4xbb5iw7dsgtvhqd.onion/",
"http://wyz32kscr2ythqpyjwqfxcaxn5576fdurr7jag44gggnmi4cvhykhvid.onion/",
"http://3pb6cefz6hubgyb2ph7ua7yjzjpxwapbbp5zomz7xmvrjhjfykjwu6id.onion/",
"http://kn4spxunete4ddz7375i2wpnj4vvkir7wdmcg2pc5yod56lmb54nbayd.onion/",
"http://2ikvareyuw2wjnc4vb5yteq7d2tkg6k3gevnixzqtkn3cpvej6ajj4yd.onion/",
"http://wflff64dxxqvfhd7poarkvkphmibdjyyhv7h4zqo5m52ggsgncmbrbqd.onion/",
"http://frheu6drsqpehmuyrdxdrfu5bzqwxps4zlmnuxlcnxskwxcwqsyhwxyd.onion/",
"http://kceqbaoxmx2czutxty3mq35m5mv46dq66hpszrhbhduj7uwhu6ax3qad.onion/",
"http://4nsmlpz4qceow7bfrmarxdqaj7chcqobin3mzb27uhscb2yvjs6j4xqd.onion/",
"http://nka6xgyyu77ksb5xmmovp4en2hrkg53mfq2osql526oe7nybnlggfgid.onion/",
"http://mflnjnwfinorxxsgkyfel3fqanbtbbrl5k5mqqjwmrf7o3jc6a4hy3id.onion/",
"http://jtt4lqatjtrj5hxxi33dczkluouf5wivzdmy4v62dnhipk6ixk5mktad.onion/",
"http://udugclljnfcx34amtpddkjggmkfqci5xnlfef2hqtxstufulo3pvauid.onion/",
"http://vmmefm7ktazj2bwtmy46o3wxhk42tctasyyqv6ymuzlivszteyhkkyad.onion/",
"http://cfev2mvlqooohl3af2upkgu3ju4qcgqrrgh6sprfxkgh3qldh2ykxzyd.onion/",
"http://2fzahjlleflpcyecd245xe3q6tczjkwzcm4fbhd4q4bsun45y2csyayd.onion/",
"http://wpefgvpyuszr4vg444qed734big233itylqclte7usszbdbfyqvb2lqd.onion/",
"http://gvzbeu532wwxqze3v3xcxpsbhpvwusnajzahi55dqklbunzgjp5wchad.onion/",
"http://ieelfdk3qr6as2u5cx3kfo57pdu6s77lis3lafg5lx5ljqf2izial6ad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/abyss-data"
@ -28851,7 +28924,8 @@
{
"meta": {
"links": [
"http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion"
"http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion",
"http://ulkvlj5sirgrbnvb4hvbjo2ex2c2ceqe2j4my57fcdozpbq5h5pyu7id.onion"
],
"refs": [
"https://www.ransomlook.io/group/3am"
@ -28888,7 +28962,21 @@
"meta": {
"links": [
"http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog",
"http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login"
"http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login",
"http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion",
"http://zsglo7t7osxyk3vcl7zxzup7hs4ir52sntteymmw63zvoxzcqytlw7qd.onion/",
"http://6dgi54prfmpuuolutr4hl3akasxbx4o34g5y2bj4blrvzzkjemhxenad.onion/",
"http://eogeko3sdn66gb7vjpwpmlmmmzfx7umtwaugpf5l6tb5jveolfydnuad.onion/",
"http://ewrxgpvv7wsrqq7itfwg5jr7lkc6zzknndmru5su2ugrowxo3wwy5yad.onion/",
"http://3ro23rujyigqrlrwk3e4keh3a3i6ntgrm3f42tbiqtf7vke47c6a6ayd.onion/",
"http://jziu7k7uee467r2wt66ndrwymmw7tsmqgcqi7aemcaxraqmaf2hdm3yd.onion/",
"http://2yczff6zyiey3gkgl5anwejktdp73abxbzbnvwobmrwkwgf3hudpyvyd.onion/",
"http://bpoowhokr3vi32l3t4mjdtdxfrfpigwachopk5ojwmgxihnojhsawuyd.onion/",
"http://dbvczza7nhwdb5kdvkzjtkrcvwnrt5viw7mihutueprvajy7rxhwq6id.onion/",
"http://xtcwd3xmxpggtizn7kmwwqeizexflkkyqsytg2kauccau6ddsfa4gfyd.onion/",
"http://4wcrfql53ljekid3sn66z6swjot725muveddq77utxltaelw64eikfid.onion/",
"http://73h3lxn24kuayyfkn4t6ij7e67jklo24vqzqdhpts3ygmim7hu6u6aid.onion/",
"http://nwtetzmrqhxieetg5lvth7szzvg35gfrqt23ly46vku56oo7pkueswyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/dragonforce"
@ -28905,7 +28993,8 @@
"http://mjmru3yz65o5szsp4rmkmh4adlezcpy5tqjjc4y5z6lozk3nnz2da2ad.onion/",
"http:// http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion",
"http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion",
"http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion"
"http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion",
"http://xeuvs5poflczn5i5kbynb5rupmidb5zjuza6gaq22uqsdp3jvkjkciqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/ransomhub"
@ -28946,7 +29035,33 @@
"links": [
"http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion",
"http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion",
"http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion"
"http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion",
"http://ipi4tiumgzjsym6pyuzrfqrtwskokxokqannmd6sa24shvr7x5kxdvqd.onion",
"http://j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion",
"http://zi34ocznt242jallttwvvhihrezjdzfgflf3uhdv6t3z23hhcn54efid.onion",
"http://37wb3ygyb3r2vf2dt5o3ca62zlduuowvkkwjrtbcgc5iri4t6rnzr7yd.onion",
"http://eppsldmcnv3ylabsx5srvf36wnk6jrowg6x4unxclv55rnu4kf5436yd.onion",
"http://slg7tnjb65swwyaebnyymyvo73xm36hxwugdsps7cwcxicizyzyt2byd.onion",
"http://x6zdxw6vt3gtpv35yqloydttvfvwyrju3opkmp4xejmlfxto7ahgnpyd.onion",
"http://jnbiz5lp44ddg4u5rsr4yebbpxa3iytcsshgbqa4m6r6po5y57h6yxid.onion",
"http://sm2gah7bjg6u2dfl3voiex6njh2kcuqqquvv7za37xokmbcivsgqcnad.onion",
"http://z7u6dkys7b2aeibvklxga7mldzrepoauiuniqwfhdadkkwwgmv6bqhad.onion",
"http://kri3lez34pbqra3xs5wxo55djldtsekol6tuqdjqecqzga6dpnjqruyd.onion",
"http://iejj6bywviuecjwi3kxanzojqroe3j3phzgplvrdzcicimtcw6xgk3yd.onion",
"http://xixkhm6inbg6t5642t2pjafsjsh3eaonpjysdcfvr3zvadlqb6nhryad.onion",
"http://giix5r763sbxmu442tmwfb4thqbz4i5ppxcqsmnnlqnm2yiezv6epxqd.onion",
"http://mokcrzbitq2gc5qcpxcbce43pawuthyaoazl6iz2xknj53ebyb4r4eid.onion",
"http://gpph6awu7hqsmzmr5sihusjoscp3itwtk3b4i2chwspmka2ikuqcwaqd.onion",
"http://v3r6g4q3b2jpqusznecxexr5aqi42vy5ts6jy6fu3strecvb5c2woead.onion",
"http://4xo3cicwo2rhpwr6vkgwt7mqg4oiqihsmoxwlmklf4sjoatkdqjtmcyd.onion",
"http://a4gbdvoorwn3tcqijoedvdeukqaqwc6t2kx4gh3gm37gv4p37evvzqad.onion",
"http://6jb5avmh6rvcb7vcux7kaivnzpqcrfg4ui4xv2co5vmspgrwll7lkkyd.onion",
"http://doz7omlqqanryonvil4iuj65shzcv3efupqwubkza6553wnekrrd4uid.onion",
"http://hbwsxlq3uzknabg2blt7d4mcbu24oriklji36zdqsz3ou3mf2d7bvoid.onion",
"http://ysknyr5m5n3pwg4jnaqsytxea2thwsbca3qipi64vlep42flywx7dgqd.onion",
"http://b3pzp6qwelgeygmzn6awkduym6s4gxh6htwxuxeydrziwzlx63zergyd.onion",
"http://p2qzf3rfvg4f74v2ambcnr6vniueucitbw6lyupkagsqejtuyak6qrid.onion",
"http://whfsjr35whjtrmmqqeqfxscfq564htdm427mjekic63737xscuayvkad.onion"
],
"refs": [
"https://www.ransomlook.io/group/play",
@ -29002,10 +29117,15 @@
"value": "qiulong"
},
{
"description": "",
"meta": {
"links": [
"https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion",
"https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/"
"https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/",
"https://vhfd5qagh6j7qbisjqvly7eejqbv6z5bv77v6yuhctn77wmd3hjkyvad.onion",
"https://acfckf3l6l7v2tsnedfx222a4og63zt6dmvheqbvsd72hkhaqadrrsad.onion",
"https://6wuivqgrv2g7brcwhjw5co3vligiqowpumzkcyebku7i2busrvlxnzid.onion",
"https://truysrv2txxvobngtlssbgqs3e3ekd53zl6zoxbotajyvmslp5rdxgid.onion"
],
"refs": [
"https://www.ransomlook.io/group/cactus"
@ -29083,7 +29203,8 @@
"meta": {
"links": [
"http://p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion/index.html",
"http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/"
"http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/",
"https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/dunghill"
@ -29240,7 +29361,20 @@
"meta": {
"links": [
"http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion",
"http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion"
"http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion",
"http://76yl7gfmz2kkjglcevxps4tleyeqnqhfcxh6rnstxj27oxhoxird3hyd.onion",
"http://yj3eozlkkxkcsprc2fug7tolgtnllruyavuyyar3yzsccjdgvu2bl2yd.onion/",
"http://ufjoe7fdwvml52oin7flwlqksvp3fcvfyh2kwsngt7j2yf7xou52w2qd.onion/",
"http://i2okedfryhllg6ka6aur3wnxcxdaufbuuysp4drr5xoc6gvqpcogejid.onion/",
"http://s37weqmxusvfcxkoorgkut5v7frn27zftdb6pdjsyjl5djg6oxjqjbid.onion/",
"http://oftm4u5cfl6wyadj27h3csdxfvyd7favssxcr7l7wnswdsrfedxswxqd.onion/",
"http://wg55rcy2chmbpeh6pl5pftnveac2lqfxbletrtzanfjhhmvcjnn5tcqd.onion/",
"http://sbjthwyoxfuxq75b77e2hsj7ie67m3qicfnuikhuabwo3sikvrzyaxad.onion/",
"http://zo5xog4vpvdae473doneepetidh36m5czdq2vyeiq3lvqhuel56p6nid.onion/",
"http://66ohzao6afsv2opk22r2kv6fbnf2fthe7v4ykzzc5vjezvvyf3gocwyd.onion/",
"https://2nn4b6gihz5bttzabjegune3blwktad2zmy77fwutvvrxxodbufo6qid.onion/",
"http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/",
"http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/api/blog/get"
],
"refs": [
"https://www.ransomlook.io/group/embargo"
@ -29279,7 +29413,9 @@
{
"meta": {
"links": [
"https://apos.blog"
"https://apos.blog",
"http://yrz6bayqwhleymbeviter7ejccxm64sv2ppgqgderzgdhutozcbbhpqd.onion/rules",
"http://yrz6bayqwhleymbeviter7ejccxm64sv2ppgqgderzgdhutozcbbhpqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/apos"
@ -29289,6 +29425,7 @@
"value": "apos"
},
{
"description": "This group is believed to be connected to Lost Trust. El Dorado rebranded to BlackLock in September 2024.",
"meta": {
"links": [
"http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/",
@ -29409,7 +29546,8 @@
{
"meta": {
"links": [
"http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/"
"http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/",
"http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/cicada3301"
@ -29534,6 +29672,7 @@
"value": "chilelocker"
},
{
"description": "Group is also currently known as MADDLL32 and Metatron.",
"meta": {
"links": [
"http://k67ivvik3dikqi4gy4ua7xa6idijl4si7k5ad5lotbaeirfcsx4sgbid.onion"
@ -29682,7 +29821,90 @@
},
"uuid": "2a1e103b-da5f-56d6-a0c8-5daff4c4fd87",
"value": "orca"
},
{
"meta": {
"links": [
"http://hackerosyolorz77y7vwj57zobwdeuzydhctz3kuuzr52ylzayvxuqyd.onion"
],
"refs": [
"https://www.ransomlook.io/group/osyolorz collective"
]
},
"uuid": "99ddf1b6-7d75-58f6-b340-47545fec5e55",
"value": "osyolorz collective"
},
{
"meta": {
"links": [
"http://3o5ewrzhqoyodfs5kll4cjxagdfrpuu474panwobm4im7ejfpaux5jyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/embrago"
]
},
"uuid": "f054ec08-9058-52ba-a90d-922a9cc1a412",
"value": "embrago"
},
{
"meta": {
"links": [
"http://nitrogenczslprh3xyw6lh5xyjvmsz7ciljoqxxknd7uymkfetfhgvqd.onion",
"http://2u6njk55okdxvrup5feu3wbhyxvlqla7yuj2oz3xkzz27yzc66vcirqd.onion/",
"http://jzl4bylm4bng2zgmeqw3lx6bcbxzb2hulicxneuosq26sshnitrcvcad.onion/",
"http://6a5ib4udgwlkyl3zzeyenedcb7d33j2vq7egpqykr5457uiskeu6zjad.onion/",
"http://hzyp7n436ecwo73xvrgnf5wmbjewszwut4h6vz4fu6f2oqd5zfcd7sad.onion/",
"http://67hvtslok5a4cwjxfmidbgbunsvckypf2dwkpxg3y2sabar5b4jidmyd.onion/",
"http://sqnnhgqr4iiwnkaih6vspyxmebz2vvjv3uybmjdynw6sne5plilunhyd.onion/",
"http://z4tonbkjybcllsvd45smpkqkk5uaspmlnvmysrkxt37wuudijvp7k2id.onion",
"http://awrfq7pjydfp3hwbsun6ltxrrzths5ztgxj7i7ybx7twjrdvzvxkgwad.onion"
],
"refs": [
"https://www.ransomlook.io/group/nitrogen"
]
},
"uuid": "9d7ca9df-c219-59fc-93fb-86f4606942ba",
"value": "nitrogen"
},
{
"meta": {
"links": [
"http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion",
"http://bi32pq7y3gqq3qacgvamnk2s2elnppvevqp325wtk2wo7vh2zavjcfid.onion/",
"http://54yjkjwjqbm74nchm6o6b4l775ws2hgesdopus5jvo3jx6ftj7zn7mid.onion/",
"http://ngvvafvhfgwknj63ivqjqdxc7b5fyedo67zshblipo5a2zuair5t4nid.onion/",
"http://icmghe66zl4twvbv5g4h532mogcea44hrkxtotrlx6aia5jslnnbnxad.onion/",
"http://lyz3i74psw6vkuxdjhkyxzy3226775qpzs6oage4zw6qj66ppdxma2qd.onion/",
"http://55lfxollcks2pvxbtg73vrpl3i7x4jnnrxfl6al6viamwngqlu4cxgyd.onion/",
"http://modre6n4hqm4seip2thhbjcfkcdcljhec7ekvd5qt7m7fhimpc2446qd.onion/",
"http://r3yes535gjsi2puoz2bvssl3ewygcfgwoji6wdk3grj3baexn2hha2id.onion/",
"http://pauppf2nuoqxwwqqshaehbkj54debl7bppacfm5h6z6zjoiejifezhad.onion/",
"http://iiobxrljnmjwb6l66bfvhin5zxbghbgiv6yamqpb4bezlrxd2vhetgyd.onion/",
"http://nf5b6a4b4s623wfxkveibjmwwpqjm536t5tyrbtrw7vsdqepsdoejoad.onion/",
"http://rs3icoalw6bdgedspnmt6vp2dzzuyqxtccezmta2g5mlyao64len7dyd.onion/",
"http://lpp4aze237qkkursbtesd54ofag6te5i5lzpee5a3buhq4v3uwtxnlqd.onion/",
"http://6nwhpuwtf4onxvr7el5ycc4xwefhk4w6q6rbn23oe2ghax2x7nns3iad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/sarcoma"
]
},
"uuid": "dfe512ec-19ef-50c4-9ddf-56daf8c9b8d7",
"value": "sarcoma"
},
{
"meta": {
"links": [
"http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/",
"http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/leaks.php"
],
"refs": [
"https://www.ransomlook.io/group/interlock"
]
},
"uuid": "6a20c736-d83c-502f-8a9f-379a556fb4ac",
"value": "interlock"
}
],
"version": 133
"version": 137
}

3483
clusters/sigma-rules.json
View File

File diff suppressed because it is too large Load Diff

315
clusters/threat-actor.json
View File

@ -5681,7 +5681,8 @@
"https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
"https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage"
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage",
"https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/"
],
"synonyms": [
"Velvet Chollima",
@ -5692,7 +5693,8 @@
"APT43",
"Emerald Sleet",
"THALLIUM",
"Springtail"
"Springtail",
"Sparkling Pisces"
],
"targeted-sector": [
"Research - Innovation",
@ -6420,7 +6422,8 @@
"https://securelist.com/operation-daybreak/75100/",
"https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
"https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/",
"https://unit42.paloaltonetworks.com/atoms/moldypisces/"
"https://unit42.paloaltonetworks.com/atoms/moldypisces/",
"https://asec.ahnlab.com/en/83877/"
],
"synonyms": [
"APT 37",
@ -6437,7 +6440,8 @@
"Venus 121",
"ATK4",
"G0067",
"Moldy Pisces"
"Moldy Pisces",
"TA-RedAnt"
]
},
"related": [
@ -12795,6 +12799,15 @@
"https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/"
]
},
"related": [
{
"dest-uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67",
"value": "Earth Estries"
},
@ -15075,7 +15088,9 @@
"https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/"
],
"synonyms": [
"Akira"
"Akira",
"PUNK SPIDER",
"GOLD SAHARA"
]
},
"uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3",
@ -15215,6 +15230,15 @@
"Outrider Tiger"
]
},
"related": [
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"value": "Fishing Elephant"
},
@ -15233,10 +15257,29 @@
"meta": {
"country": "CN",
"refs": [
"https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation",
"https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/"
"https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf",
"https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/",
"https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf",
"https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation",
"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/",
"https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835"
],
"synonyms": [
"FamousSparrow",
"UNC2286",
"Salt Typhoon"
]
},
"related": [
{
"dest-uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
"value": "GhostEmperor"
},
@ -16688,7 +16731,263 @@
},
"uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e",
"value": "HikkI-Chan"
},
{
"description": "Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.",
"meta": {
"country": "CN",
"refs": [
"https://www.tgsoft.it/news/news_archivio.asp?id=1568",
"https://jp.security.ntt/tech_blog/appdomainmanager-injection",
"https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt"
]
},
"uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7",
"value": "Earth Baxia"
},
{
"description": "SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. Industries targeted include government, law enforcement, energy, telecommunications, and technology entitie",
"meta": {
"refs": [
"https://blog.cloudflare.com/unraveling-sloppylemming-operations/"
]
},
"related": [
{
"dest-uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
}
],
"uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"value": "SloppyLemming"
},
{
"description": "Storm-0494 is a threat actor that facilitates Gootloader infections, which are then exploited by groups like Vice Society to deploy tools such as the Supper backdoor, AnyDesk, and MEGA. They utilize RDP for lateral movement and employ the WMI Provider Host to deploy the INC ransomware payload. Microsoft has identified their activities as part of a campaign targeting the U.S. health sector. Their operations are characterized by financially motivated tactics.",
"meta": {
"refs": [
"https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/",
"https://x.com/MsftSecIntel/status/1836456406276342215"
]
},
"uuid": "bed7279c-4ae4-459a-a862-8c69e0cfdb93",
"value": "Storm-0494"
},
{
"description": "DragonRank is a threat actor primarily targeting web application services in Asia and Europe, utilizing TTPs associated with Simplified Chinese-speaking hacking groups. They exploit vulnerabilities in platforms like phpMyAdmin and WordPress to deploy web shells, enabling the installation of PlugX and BadIIS malware for black hat SEO practices. Their operations involve lateral movement within compromised networks to maintain control and elevate privileges, while also engaging in unethical online marketing strategies. DragonRank's activities include manipulating search engine rankings and distributing scam websites through compromised Windows IIS servers.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/dragon-rank-seo-poisoning/"
]
},
"uuid": "28157c93-0b9f-4341-983a-3a521cee12bb",
"value": "DragonRank"
},
{
"description": "Vice Spider is a Russian-speaking ransomware group that has been active since at least April 2021 and is linked to a significant increase in identity-based attacks, with a reported 583% rise in Kerberoasting incidents. CrowdStrike attributes 27% of these intrusions specifically to Vice Spider, which exploits vulnerabilities in the Kerberos authentication protocol to crack user passwords.",
"meta": {
"country": "RU",
"refs": [
"https://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks"
]
},
"uuid": "2be3426b-c216-499f-b111-6694e96918f7",
"value": "VICE SPIDER"
},
{
"description": "AzzaSec is a hacktivist group that originated in Italy. Known for their pro-Palestine stance, they have been involved in various cyberattacks targeting Israel and pro-Israel countries. Additionally, AzzaSec has engaged in ransomware activities and has been known to collaborate with other cybercriminal groups.\n\n\n\n\n\n\n\n\n",
"meta": {
"country": "IT",
"refs": [
"https://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/",
"https://thecyberexpress.com/azzasec-noname-join-hands-to-target-ukriane/"
]
},
"uuid": "7d067b1a-89df-46ff-a2fc-d688da721236",
"value": "AzzaSec"
},
{
"description": "Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, extortion, and destructive attacks using custom wiper malware. The group utilizes a multi-stage loading process, including a Delphi-coded second-stage loader and an AutoIT injector, to deliver wiper malware that specifically targets Windows and Linux environments. Their phishing campaigns often exploit major events and critical vulnerabilities, masquerading as legitimate organizations to gain initial access. Handala operates a data leak site to publicize stolen data, although claims of successful attacks are sometimes disputed by targeted organizations.",
"meta": {
"country": "PS",
"refs": [
"https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html",
"https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/",
"https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/"
]
},
"uuid": "7b14f285-86e9-47da-be1a-16ce566c428b",
"value": "Handala"
},
{
"description": "Storm-0501 is a financially motivated cybercriminal group that has been active since 2021, initially targeting US school districts with the Sabbath ransomware and later transitioning to a RaaS model deploying various ransomware strains, including Embargo. The group exploits weak credentials and over-privileged accounts to achieve lateral movement from on-premises environments to cloud infrastructures, establishing persistent backdoor access and deploying ransomware. They have utilized techniques such as credential theft, exploiting vulnerabilities in Zoho ManageEngine and Citrix NetScaler, and employing tools like Cobalt Strike and Rclone for lateral movement and data exfiltration. Storm-0501 has specifically targeted sectors such as government, manufacturing, transportation, and law enforcement in the United States.",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/"
]
},
"uuid": "f6a60403-4bcc-4fc6-ac07-abb913c1f080",
"value": "Storm-0501"
},
{
"description": "CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolset called Spacecolon, consisting of ScHackTool, ScInstaller, and ScService, to gain initial access through RDP brute forcing and exploiting vulnerabilities like CVE-2020-1472 and FortiOS SSL-VPN. CosmicBeetle has been observed impersonating the LockBit ransomware gang to leverage its reputation and has shown a tendency to leave artifacts on compromised systems. The group primarily targets SMBs globally, employing techniques such as credential dumping and data destruction.",
"meta": {
"refs": [
"https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/"
]
},
"uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345",
"value": "CosmicBeetle"
},
{
"description": "UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Irans Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.",
"meta": {
"country": "IR",
"refs": [
"https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks"
]
},
"uuid": "80a874d5-0645-4245-aeb6-9b33a8689928",
"value": "UNC1860"
},
{
"description": "SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.",
"meta": {
"refs": [
"https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/",
"https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4"
],
"synonyms": [
"SkidSec Leaks"
]
},
"uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb",
"value": "SkidSec"
},
{
"description": "Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.",
"meta": {
"refs": [
"https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/",
"https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/"
],
"synonyms": [
"Core Werewolf"
]
},
"uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7",
"value": "Awaken Likho"
},
{
"description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.",
"meta": {
"country": "CN",
"refs": [
"https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/"
]
},
"uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb",
"value": "CeranaKeeper"
},
{
"description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.",
"meta": {
"refs": [
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/",
"http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf"
]
},
"uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab",
"value": "SongXY"
},
{
"description": "TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.",
"meta": {
"country": "CN",
"refs": [
"https://www.group-ib.com/blog/task/",
"https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia"
],
"synonyms": [
"BlueTraveller"
]
},
"uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19",
"value": "TaskMasters"
}
],
"version": 313
"version": 318
}

204
clusters/tidal-campaigns.json
View File

@ -57,7 +57,7 @@
{
"description": "In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup><sup>[[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]</sup>\n\n**Related Vulnerabilities**: CVE-2022-31199<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>",
"meta": {
"campaign_attack_id": "C5000",
"campaign_attack_id": "C3003",
"first_seen": "2022-08-01T00:00:00Z",
"last_seen": "2023-05-31T00:00:00Z",
"owner": "TidalCyberIan",
@ -75,7 +75,7 @@
{
"description": "In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.\n\nIvanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a).<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-35078<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>, CVE-2023-35081<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>",
"meta": {
"campaign_attack_id": "C5004",
"campaign_attack_id": "C3007",
"first_seen": "2023-04-01T00:00:00Z",
"last_seen": "2023-07-28T00:00:00Z",
"owner": "TidalCyberIan",
@ -95,7 +95,7 @@
{
"description": "In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organizations public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organizations firewall devices.\n\nAfter gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>\n\nIn addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a).\n\n**Related Vulnerabilities**: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>",
"meta": {
"campaign_attack_id": "C5005",
"campaign_attack_id": "C3009",
"first_seen": "2023-01-01T00:00:00Z",
"last_seen": "2023-04-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -115,7 +115,7 @@
{
"description": "AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.<sup>[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]</sup>",
"meta": {
"campaign_attack_id": "C5031",
"campaign_attack_id": "C3030",
"first_seen": "2022-05-01T00:00:00Z",
"last_seen": "2023-03-31T00:00:00Z",
"owner": "TidalCyberIan",
@ -134,7 +134,7 @@
{
"description": "In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.<sup>[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]</sup>",
"meta": {
"campaign_attack_id": "C5048",
"campaign_attack_id": "C3048",
"first_seen": "2021-03-01T00:00:00Z",
"last_seen": "2024-05-30T00:00:00Z",
"owner": "TidalCyberIan",
@ -202,7 +202,7 @@
{
"description": "Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).<sup>[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]</sup>",
"meta": {
"campaign_attack_id": "C5038",
"campaign_attack_id": "C3038",
"first_seen": "2024-04-01T00:00:00Z",
"last_seen": "2024-04-30T00:00:00Z",
"owner": "TidalCyberIan",
@ -219,7 +219,7 @@
{
"description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>",
"meta": {
"campaign_attack_id": "C5007",
"campaign_attack_id": "C3008",
"first_seen": "2021-01-01T00:00:00Z",
"last_seen": "2021-12-31T00:00:00Z",
"owner": "TidalCyberIan",
@ -236,7 +236,7 @@
{
"description": "U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.<sup>[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)]</sup> According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.<sup>[[U.S. Justice Department GRU Botnet February 2024](/references/26a554dc-39c0-4638-902d-7e84fe01b961)]</sup>",
"meta": {
"campaign_attack_id": "C5015",
"campaign_attack_id": "C3027",
"first_seen": "2022-12-01T00:00:00Z",
"last_seen": "2024-01-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -260,7 +260,7 @@
{
"description": "UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.<sup>[[U.S. CISA APT29 Cloud Access](/references/e9e08eca-1e01-4ff0-a8ef-49ecf66aaf3d)]</sup>",
"meta": {
"campaign_attack_id": "C5016",
"campaign_attack_id": "C3028",
"first_seen": "2023-02-26T00:00:00Z",
"last_seen": "2024-02-26T00:00:00Z",
"owner": "TidalCyberIan",
@ -277,7 +277,7 @@
{
"description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nIn December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russias Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.\n\nCVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.\n\nJetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources including Sigma and YARA rules can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a).<sup>[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]</sup>",
"meta": {
"campaign_attack_id": "C5012",
"campaign_attack_id": "C3017",
"first_seen": "2023-09-01T00:00:00Z",
"last_seen": "2023-12-14T00:00:00Z",
"owner": "TidalCyberIan",
@ -294,7 +294,7 @@
{
"description": "On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.<sup>[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]</sup>",
"meta": {
"campaign_attack_id": "C5047",
"campaign_attack_id": "C3047",
"first_seen": "2022-04-01T00:00:00Z",
"last_seen": "2022-09-30T00:00:00Z",
"owner": "TidalCyberIan",
@ -325,7 +325,7 @@
{
"description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.<sup>[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]</sup>",
"meta": {
"campaign_attack_id": "C5049",
"campaign_attack_id": "C3049",
"first_seen": "2023-03-21T00:00:00Z",
"last_seen": "2024-07-16T00:00:00Z",
"owner": "TidalCyberIan",
@ -342,7 +342,7 @@
{
"description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.<sup>[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]</sup> The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>",
"meta": {
"campaign_attack_id": "C5019",
"campaign_attack_id": "C3036",
"first_seen": "2023-11-01T00:00:00Z",
"last_seen": "2024-02-29T00:00:00Z",
"owner": "TidalCyberIan",
@ -365,7 +365,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.<sup>[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]</sup>",
"meta": {
"campaign_attack_id": "C5035",
"campaign_attack_id": "C3034",
"first_seen": "2024-01-01T00:00:00Z",
"last_seen": "2024-01-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -385,7 +385,7 @@
{
"description": "Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.<sup>[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]</sup>",
"meta": {
"campaign_attack_id": "C5032",
"campaign_attack_id": "C3031",
"first_seen": "2023-12-01T00:00:00Z",
"last_seen": "2024-01-19T00:00:00Z",
"owner": "TidalCyberIan",
@ -404,7 +404,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.<sup>[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]</sup>",
"meta": {
"campaign_attack_id": "C5033",
"campaign_attack_id": "C3032",
"first_seen": "2022-05-20T00:00:00Z",
"last_seen": "2022-05-20T00:00:00Z",
"owner": "TidalCyberIan",
@ -422,7 +422,7 @@
{
"description": "Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.<sup>[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)]</sup><sup>[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]</sup>",
"meta": {
"campaign_attack_id": "C5037",
"campaign_attack_id": "C3037",
"first_seen": "2024-04-15T00:00:00Z",
"last_seen": "2024-05-15T00:00:00Z",
"owner": "TidalCyberIan",
@ -442,7 +442,7 @@
{
"description": "This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.",
"meta": {
"campaign_attack_id": "C5029",
"campaign_attack_id": "C3025",
"first_seen": "2023-03-01T00:00:00Z",
"last_seen": "2024-02-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -592,7 +592,7 @@
{
"description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup> Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.<sup>[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-34362<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup>",
"meta": {
"campaign_attack_id": "C5002",
"campaign_attack_id": "C3005",
"first_seen": "2023-05-27T00:00:00Z",
"last_seen": "2023-06-16T00:00:00Z",
"owner": "TidalCyberIan",
@ -610,7 +610,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
"campaign_attack_id": "C5026",
"campaign_attack_id": "C3022",
"first_seen": "2023-11-14T00:00:00Z",
"last_seen": "2023-11-24T00:00:00Z",
"owner": "TidalCyberIan",
@ -625,6 +625,28 @@
"uuid": "bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4",
"value": "Cloudflare Thanksgiving 2023 security incident"
},
{
"description": "Actors deploying a variant of the Mirai botnet, known as Corona, were observed exploiting a zero-day vulnerability (CVE-2024-7029) to achieve initial infection of new devices with the botnet. The vulnerability enables remote code execution on affected devices (AVTECH closed-circuit television (CCTV) cameras), which actors abused to ingress their main payloads.<sup>[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]</sup>",
"meta": {
"campaign_attack_id": "C3051",
"first_seen": "2024-03-18T00:00:00Z",
"last_seen": "2024-08-28T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"55cb344a-cbd5-4fd1-a1e9-30bbc956527e",
"f925e659-1120-4b76-92b6-071a7fb757d6",
"06236145-e9d6-461c-b7e4-284b3de5f561",
"a98d7a43-f227-478e-81de-e7299639a355",
"33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "4f1823b1-80ad-4f5d-ba04-a4d4baf37e72",
"value": "Corona Mirai Botnet Zero-Day Exploit Campaign"
},
{
"description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup>",
"meta": {
@ -664,7 +686,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.<sup>[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]</sup>",
"meta": {
"campaign_attack_id": "C5034",
"campaign_attack_id": "C3033",
"first_seen": "2024-01-01T00:00:00Z",
"last_seen": "2024-01-31T00:00:00Z",
"owner": "TidalCyberIan",
@ -682,7 +704,7 @@
{
"description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.<sup>[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]</sup>",
"meta": {
"campaign_attack_id": "C5014",
"campaign_attack_id": "C3026",
"first_seen": "2022-12-01T00:00:00Z",
"last_seen": "2022-12-31T00:00:00Z",
"owner": "TidalCyberIan",
@ -700,7 +722,7 @@
{
"description": "In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>",
"meta": {
"campaign_attack_id": "C5006",
"campaign_attack_id": "C3010",
"first_seen": "2023-03-01T00:00:00Z",
"last_seen": "2023-03-31T00:00:00Z",
"owner": "TidalCyberIan",
@ -745,7 +767,7 @@
{
"description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.<sup>[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]</sup>",
"meta": {
"campaign_attack_id": "C5042",
"campaign_attack_id": "C3042",
"first_seen": "2023-08-01T00:00:00Z",
"last_seen": "2024-06-24T00:00:00Z",
"owner": "TidalCyberIan",
@ -762,7 +784,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
"campaign_attack_id": "C5025",
"campaign_attack_id": "C3021",
"first_seen": "2023-05-01T00:00:00Z",
"last_seen": "2023-12-12T00:00:00Z",
"owner": "TidalCyberIan",
@ -780,7 +802,7 @@
{
"description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>\n\n**Related Vulnerabilities**: CVE-2021-44228<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>",
"meta": {
"campaign_attack_id": "C5008",
"campaign_attack_id": "C3012",
"first_seen": "2022-06-15T00:00:00Z",
"last_seen": "2022-07-15T00:00:00Z",
"owner": "TidalCyberIan",
@ -797,7 +819,7 @@
{
"description": "In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.<sup>[[U.S. CISA Iran Voter Data November 3 2020](/references/be89be75-c33f-4c58-8bf0-979c1debaad7)]</sup>",
"meta": {
"campaign_attack_id": "C5010",
"campaign_attack_id": "C3014",
"first_seen": "2020-09-20T00:00:00Z",
"last_seen": "2020-10-20T00:00:00Z",
"owner": "TidalCyberIan",
@ -810,7 +832,7 @@
{
"description": "In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian governments Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105<sup>[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)]</sup>, CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591<sup>[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]</sup>",
"meta": {
"campaign_attack_id": "C5009",
"campaign_attack_id": "C3013",
"first_seen": "2021-03-01T00:00:00Z",
"last_seen": "2022-09-14T00:00:00Z",
"owner": "TidalCyberIan",
@ -865,7 +887,7 @@
{
"description": "JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.<sup>[[elastic.co 6 21 2023](/references/42c40ec8-f46a-48fa-bd97-818e3d3d320e)]</sup>",
"meta": {
"campaign_attack_id": "C5036",
"campaign_attack_id": "C3035",
"first_seen": "2023-05-31T00:00:00Z",
"last_seen": "2023-06-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -882,7 +904,7 @@
{
"description": "In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.<sup>[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]</sup>\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".<sup>[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-3519<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup>",
"meta": {
"campaign_attack_id": "C5001",
"campaign_attack_id": "C3004",
"first_seen": "2023-06-01T00:00:00Z",
"last_seen": "2023-06-30T00:00:00Z",
"owner": "TidalCyberIan",
@ -900,7 +922,7 @@
{
"description": "In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.\n\nCitrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.\n\nAfter successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a).<sup>[[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)]</sup> Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.<sup>[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)]</sup><sup>[[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]</sup>",
"meta": {
"campaign_attack_id": "C5011",
"campaign_attack_id": "C3016",
"first_seen": "2023-08-01T00:00:00Z",
"last_seen": "2023-11-16T00:00:00Z",
"owner": "TidalCyberIan",
@ -917,10 +939,27 @@
"uuid": "f4225d6a-8734-401f-aa2a-1a73c23b16e6",
"value": "LockBit Affiliate Citrix Bleed Exploits"
},
{
"description": "Researchers discovered the existence of a newly identified red teaming framework used to generate attack payloads, called \"MacroPack\". The framework was used to deploy the Brute Ratel and Havoc post-exploitation frameworks and the PhantomCore remote access trojan. In addition to red teaming applications, researchers assessed that MacroPack is also being abused by threat actors.<sup>[[Cisco Talos Blog September 3 2024](/references/b222cabd-347d-45d4-aeaf-4135795d944d)]</sup>",
"meta": {
"campaign_attack_id": "C3052",
"first_seen": "2024-05-01T00:00:00Z",
"last_seen": "2024-07-01T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "2229e945-ec3d-4e20-ad4a-bd12741a6724",
"value": "MacroPack Payload Delivery Activity"
},
{
"description": "The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.<sup>[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]</sup>",
"meta": {
"campaign_attack_id": "C5021",
"campaign_attack_id": "C3002",
"first_seen": "2023-05-01T00:00:00Z",
"last_seen": "2023-05-31T00:00:00Z",
"owner": "TidalCyberIan",
@ -937,7 +976,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
"campaign_attack_id": "C5027",
"campaign_attack_id": "C3023",
"first_seen": "2023-11-30T00:00:00Z",
"last_seen": "2024-01-12T00:00:00Z",
"owner": "TidalCyberIan",
@ -955,7 +994,7 @@
{
"description": "Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.<sup>[[Zscaler Molerats Campaign](/references/3b39e73e-229f-4ff4-bec3-d83e6364a66e)]</sup>",
"meta": {
"campaign_attack_id": "C5022",
"campaign_attack_id": "C3011",
"first_seen": "2021-07-01T00:00:00Z",
"last_seen": "2021-12-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -972,7 +1011,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.<sup>[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]</sup>",
"meta": {
"campaign_attack_id": "C5039",
"campaign_attack_id": "C3039",
"first_seen": "2023-08-01T00:00:00Z",
"last_seen": "2024-05-28T00:00:00Z",
"owner": "TidalCyberIan",
@ -1001,7 +1040,7 @@
{
"description": "According to details published by Okta Security, threat actors gained unauthorized access to Oktas customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.\n\nAfter gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.<sup>[[Okta HAR Files Incident Notice](/references/14855034-494e-477d-8c91-fc534fd7790d)]</sup><sup>[[Okta HAR Files RCA](/references/742d095c-9bd1-4f4a-8bc6-16db6d15a9f4)]</sup><sup>[[Okta HAR Files Incident Update](/references/5e09ab9c-8cb2-49f5-b65f-fd5447e71ef4)]</sup>",
"meta": {
"campaign_attack_id": "C5023",
"campaign_attack_id": "C3018",
"first_seen": "2023-09-28T00:00:00Z",
"last_seen": "2023-10-17T00:00:00Z",
"owner": "TidalCyberIan",
@ -1019,7 +1058,7 @@
{
"description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.<sup>[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]</sup>",
"meta": {
"campaign_attack_id": "C5018",
"campaign_attack_id": "C3015",
"first_seen": "2022-03-01T00:00:00Z",
"last_seen": "2022-04-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -1096,7 +1135,7 @@
{
"description": "Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.<sup>[[SentinelOne 9 26 2022](/references/973a110c-f1cd-46cd-b92b-5c7d8e7492b1)]</sup>",
"meta": {
"campaign_attack_id": "C5040",
"campaign_attack_id": "C3040",
"first_seen": "2019-12-01T00:00:00Z",
"last_seen": "2022-09-26T00:00:00Z",
"owner": "TidalCyberIan",
@ -1149,7 +1188,7 @@
{
"description": "In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.<sup>[[PaperCut MF/NG vulnerability bulletin](/references/d6e71b45-fc91-40f4-8201-2186994ae42a)]</sup> According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>\n\nCVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the \"Education Facilities Subsector\" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>\n\nThe Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a).\n\n**Related Vulnerabilities**: CVE-2023-27350<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>",
"meta": {
"campaign_attack_id": "C5003",
"campaign_attack_id": "C3006",
"first_seen": "2023-04-15T00:00:00Z",
"last_seen": "2023-05-30T00:00:00Z",
"owner": "TidalCyberIan",
@ -1169,7 +1208,7 @@
{
"description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nThis is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)<sup>[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]</sup><sup>[[Unit42 Malware Roundup December 29 2023](/references/a18e19b5-9046-4c2c-bd94-2cd5061064bf)]</sup>; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.<sup>[[Trend Micro Pikabot January 9 2024](/references/dc7d882b-4e83-42da-8e2f-f557b675930a)]</sup>",
"meta": {
"campaign_attack_id": "C5013",
"campaign_attack_id": "C3019",
"first_seen": "2023-02-01T00:00:00Z",
"last_seen": "2023-12-31T00:00:00Z",
"owner": "TidalCyberIan",
@ -1186,7 +1225,7 @@
{
"description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.<sup>[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)]</sup><sup>[[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]</sup>",
"meta": {
"campaign_attack_id": "C5045",
"campaign_attack_id": "C3045",
"first_seen": "2024-03-01T00:00:00Z",
"last_seen": "2024-06-07T00:00:00Z",
"owner": "TidalCyberIan",
@ -1203,7 +1242,7 @@
{
"description": "A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.<sup>[[K7 QakBot Returns January 4 2024](/references/5cb5e645-b77b-4bd1-a742-c8f53f234713)]</sup>",
"meta": {
"campaign_attack_id": "C5024",
"campaign_attack_id": "C3020",
"first_seen": "2023-12-11T00:00:00Z",
"last_seen": "2024-01-04T00:00:00Z",
"owner": "TidalCyberIan",
@ -1221,7 +1260,7 @@
{
"description": "Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as \"one of the fastest ransomware cases\" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.<sup>[[The DFIR Report April 25 2022](/references/2e28c754-911a-4f08-a7bd-4580f5283571)]</sup>",
"meta": {
"campaign_attack_id": "C5043",
"campaign_attack_id": "C3043",
"first_seen": "2022-04-01T00:00:00Z",
"last_seen": "2022-04-25T00:00:00Z",
"owner": "TidalCyberIan",
@ -1240,7 +1279,7 @@
{
"description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.<sup>[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]</sup>\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).",
"meta": {
"campaign_attack_id": "C5041",
"campaign_attack_id": "C3041",
"first_seen": "2023-08-13T00:00:00Z",
"last_seen": "2024-06-13T00:00:00Z",
"owner": "TidalCyberIan",
@ -1258,7 +1297,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka \"SlashAndGrab\"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.\n\nFurther background & contextual details can be found in the References tab below.",
"meta": {
"campaign_attack_id": "C5028",
"campaign_attack_id": "C3024",
"first_seen": "2024-02-19T00:00:00Z",
"last_seen": "2024-02-23T00:00:00Z",
"owner": "TidalCyberIan",
@ -1296,7 +1335,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
"campaign_attack_id": "C5030",
"campaign_attack_id": "C3029",
"first_seen": "2024-02-26T00:00:00Z",
"last_seen": "2024-02-27T00:00:00Z",
"owner": "TidalCyberIan",
@ -1325,10 +1364,38 @@
"uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b",
"value": "Triton Safety Instrumented System Attack"
},
{
"description": "On September 5, 2024, international authorities published joint Cybersecurity Advisory AA24-249A, which detailed recent activity linked to cyber actors affiliated with the 161st Specialist Training Center (aka Unit 29155) of the Russian General Staff Main Intelligence Directorate (GRU), the foreign military intelligence agency of Russia's armed forces. The advisory highlighted Unit 29155 espionage, sabotage, and reputational cyber attacks carried out against targets around the world since 2020.\n\nWhile Unit 29155 had been previously linked to influence, interference, and physical sabotage operations, the advisory noted how the group has expanded its tradecraft to now include offensive cyber operations. The advisory indicated that several groups tracked by the cybersecurity community relate to Unit 29155 cyber actors but may not be directly synonyms with all parts of the Unit (or each other), including: Cadet Blizzard, DEV-0586, Ember Bear, Bleeding Bear, Frozenvista, UNC2589, and UAC-0056.<sup>[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]</sup>",
"meta": {
"campaign_attack_id": "C3053",
"first_seen": "2020-08-03T00:00:00Z",
"last_seen": "2024-09-05T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"35e694ec-5133-46e3-b7e1-5831867c3b55",
"d8f7e071-fbfd-46f8-b431-e241bb1513ac",
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
"5b8371c5-1173-4496-82c7-5f0433987e77",
"f18e6c1d-d2ee-4eda-8172-67dcbc4e59ed",
"9e4936f0-e3b7-4721-a638-58b2d093b2f2",
"1281067e-4a7e-4003-acf8-e436105bf395",
"7c67d99a-fc8a-4463-8f46-45e9a39fe6b0",
"fe28cf32-a15c-44cf-892c-faa0360d6109",
"15f2277a-a17e-4d85-8acd-480bf84f16b4"
]
},
"related": [],
"uuid": "5e1bc9d2-1f2e-4ba3-b6b8-8d4e1f635762",
"value": "Unit 29155 Russian Military Cyber Activity"
},
{
"description": "Researchers observed suspected \"China-nexus\" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute \"previously unknown custom malware\" on the devices' operating systems. Researchers first observed \"zero-day\" exploit activity in the wild at an undisclosed point \"during the past year\", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.\n\nThe vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.<sup>[[The Hacker News Velvet Ant Cisco July 2 2024](/references/e3949201-c949-4126-9e02-34bfad4713c0)]</sup><sup>[[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]</sup>",
"meta": {
"campaign_attack_id": "C5046",
"campaign_attack_id": "C3046",
"first_seen": "2023-07-01T00:00:00Z",
"last_seen": "2024-07-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -1348,7 +1415,7 @@
{
"description": "This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected \"China-nexus\" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network residing and remaining active there for around three years notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.<sup>[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)]</sup><sup>[[BleepingComputer Velvet Ant June 17 2024](/references/70235e47-f8bb-4d16-9933-9f4923f08f5d)]</sup>",
"meta": {
"campaign_attack_id": "C5044",
"campaign_attack_id": "C3044",
"first_seen": "2020-12-01T00:00:00Z",
"last_seen": "2023-12-01T00:00:00Z",
"owner": "TidalCyberIan",
@ -1363,10 +1430,49 @@
"uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7",
"value": "Velvet Ant F5 BIG-IP Espionage Activity"
},
{
"description": "Void Banshee is an advanced persistent threat (APT) group identified by Trend Micro researchers, which is known to target victims in North America, Europe, and Southeast Asia for information theft and financial gain. In May 2024, researchers observed Void Banshee actors exploiting CVE-2024-38112, a remote code execution vulnerability in the \"MSHTML\" web browser software component. The vulnerability had not been previously disclosed, so the campaign was characterized as \"zero-day\" exploit activity. Actors delivered the Atlantida infostealer malware during the observed attacks.<sup>[[Trend Micro Void Banshee July 15 2024](/references/02c4dda2-3aae-43ec-9b14-df282b200def)]</sup>\n\nLater, researchers noted that Void Banshee also exploited a separate MSHTML-related vulnerability, CVE-2024-43461, as a zero-day during attacks culminating in Atlantida infostealer deployments.<sup>[[BleepingComputer Void Banshee September 16 2024](/references/2c9a2355-02c5-4718-ad6e-b2fac9ad4096)]</sup>",
"meta": {
"campaign_attack_id": "C3054",
"first_seen": "2024-05-15T00:00:00Z",
"last_seen": "2024-07-15T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"0281a78d-1eb1-4e10-9327-2032928e37d9",
"ff8a2e10-4bf7-45f0-954c-8847fdcb9612",
"a98d7a43-f227-478e-81de-e7299639a355",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "dbe34d5d-91b0-4a50-98c7-4e36ba0bcda6",
"value": "Void Banshee Zero-Day Exploit Activity"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.",
"meta": {
"campaign_attack_id": "C3050",
"first_seen": "2024-08-05T00:00:00Z",
"last_seen": "2024-08-29T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"fe28cf32-a15c-44cf-892c-faa0360d6109",
"82009876-294a-4e06-8cfc-3236a429bda4",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "e740e392-98cb-428a-ab92-b0a4d1d546b7",
"value": "Voldemort Malware Delivery Campaign"
},
{
"description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.<sup>[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]</sup>",
"meta": {
"campaign_attack_id": "C5020",
"campaign_attack_id": "C3001",
"first_seen": "2020-10-01T00:00:00Z",
"last_seen": "2022-04-13T00:00:00Z",
"owner": "TidalCyberIan",

932
clusters/tidal-groups.json
View File

File diff suppressed because it is too large Load Diff

2534
clusters/tidal-references.json
View File

File diff suppressed because it is too large Load Diff

5238
clusters/tidal-software.json
View File

File diff suppressed because it is too large Load Diff

12
clusters/tool.json
View File

@ -1882,7 +1882,8 @@
"refs": [
"http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html",
"https://blogs.cisco.com/security/talos/opening-zxshell",
"https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox"
"https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
],
"synonyms": [
"Sensode"
@ -9208,6 +9209,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "similar"
},
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
@ -11075,5 +11083,5 @@
"value": "SLIVER"
}
],
"version": 173
"version": 174
}