MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

added HAFNIUM 

Updates:
Tonto Team
UNC2452
pull/631/head
Rony 2021-03-04 00:10:33 +05:30 committed by GitHub
parent fee4cbc123
commit ad795606cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
clusters/threat-actor.json
View File

@ -4778,7 +4778,8 @@
],
"synonyms": [
"CactusPete",
"Karma Panda"
"Karma Panda",
"BRONZE HUNTLEY"
]
},
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
@ -8427,12 +8428,28 @@
"https://github.com/fireeye/sunburst_countermeasures"
],
"synonyms": [
"DarkHalo"
"DarkHalo",
"StellarParticle"
]
},
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
"value": "UNC2452"
},
{
"description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once theyve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
"https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html",
"https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers",
"https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day",
"https://twitter.com/ESETresearch/status/1366862946488451088"
]
},
"uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",
"value": "HAFNIUM"
}
],
"version": 198
"version": 199
}