merge

2023-04-11 13:57:30 +02:00 · 2023-04-11 13:57:30 +02:00 · d30e7357fe
parent eb9254713a 3cc7e03af6
commit d30e7357fe
6 changed files with 9540 additions and 9141 deletions
--- a/README.md
+++ b/README.md
@ -18,6 +18,7 @@ The objective is to have a comment set of clusters for organizations starting an
 to localized information (which is not shared) or additional information (that can be shared).

 # Available Galaxy - clusters
+
 ## 360.net Threat Actors

 [360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net.
@ -148,7 +149,7 @@ Category: *tool* - source: *MISP Project* - total: *52* elements

 ## FIRST DNS Abuse Techniques Matrix

-[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for Tmore information.
+[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.

 Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements

@ -382,7 +383,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements

 [Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar

-Category: *tool* - source: *Various* - total: *1624* elements
+Category: *tool* - source: *Various* - total: *1649* elements

 [[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]

@ -422,7 +423,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements

 [Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.

-Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2665* elements
+Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2696* elements

 [[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]

@ -446,7 +447,7 @@ Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total:

 [Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer.

-Category: *tool* - source: *Open Sources* - total: *11* elements
+Category: *tool* - source: *Open Sources* - total: *12* elements

 [[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)]

@ -470,7 +471,7 @@ Category: *target* - source: *Various* - total: *240* elements

 [TDS](https://www.misp-project.org/galaxy.html#_tds) - TDS is a list of Traffic Direction System used by adversaries

-Category: *tool* - source: *MISP Project* - total: *10* elements
+Category: *tool* - source: *MISP Project* - total: *11* elements

 [[HTML](https://www.misp-project.org/galaxy.html#_tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)]

@ -486,7 +487,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements

 [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.

-Category: *actor* - source: *MISP Project* - total: *408* elements
+Category: *actor* - source: *MISP Project* - total: *418* elements

 [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]

@ -494,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *408* elements

 [Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.

-Category: *tool* - source: *MISP Project* - total: *545* elements
+Category: *tool* - source: *MISP Project* - total: *549* elements

 [[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]

--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@ -1402,7 +1402,27 @@
      },
      "uuid": "b6919400-9b16-48ae-8379-fab26a506e32",
      "value": "KmsdBot"
+    },
+    {
+      "description": "Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.",
+      "meta": {
+        "refs": [
+          "https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "040f2e89-b8be-4150-9426-c30f75e858a2",
+      "value": "HinataBot"
    }
  ],
-  "version": 30
+  "version": 31
 }
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -20413,11 +20413,6 @@
      "uuid": "ce5eb940-5fd6-4d2f-bfa8-2191ae3e4239",
      "value": "CTF"
    },
-    {
-      "description": "Ransomware",
-      "uuid": "2a95f6b9-3ce7-40b9-bda8-0832e0d9d07f",
-      "value": "Cuba"
-    },
    {
      "description": "Ransomware",
      "uuid": "ed087a5a-41f7-4997-9701-ef46c984d89d",
--- a/clusters/sigma-rules.json
+++ b/clusters/sigma-rules.json
--- a/clusters/stealer.json
+++ b/clusters/stealer.json
@ -209,7 +209,21 @@
      },
      "uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
      "value": "Rhadamanthys"
+    },
+    {
+      "description": "Python-based Stealer including Discord, Steam...",
+      "meta": {
+        "refs": [
+          "https://github.com/SOrdeal/Sordeal-Stealer"
+        ],
+        "synonyms": [
+          "Sordeal",
+          "Sordeal Stealer"
+        ]
+      },
+      "uuid": "0266302b-52d3-44da-ab63-a8a6f16de737",
+      "value": "Sordeal-Stealer"
    }
  ],
-  "version": 12
+  "version": 13
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -2185,7 +2185,8 @@
          "T-APT-12",
          "APT-C-20",
          "UAC-0028",
-          "FROZENLAKE"
+          "FROZENLAKE",
+          "Sofacy"
        ]
      },
      "related": [
@ -9780,7 +9781,8 @@
        ],
        "country": "CN",
        "refs": [
-          "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"
+          "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/",
+          "https://khonggianmang.vn/uploads/CB_941_Canhbao_APT_36c5a857fa.pdf"
        ],
        "synonyms": [
          "UNC94"
@ -10612,7 +10614,25 @@
      ],
      "uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31",
      "value": "TA866"
+    },
+    {
+      "description": "Since January 23, 2023, a threat actor identifying as \"Anonymous Sudan\" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be \"hacktivists,\" politically motivated hackers from Sudan. According to Truesec’s report, the threat actor has nothing to do with the online activists collectively known as Anonymous.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "Denmark",
+          "Sweden"
+        ],
+        "cfr-type-of-incident": [
+          "Denial of service"
+        ],
+        "references": [
+          "https://files.truesec.com/hubfs/Reports/Anonymous%20Sudan%20-%20Publish%201.2%20-%20a%20Truesec%20Report.pdf",
+          "https://www.truesec.com/hub/blog/what-is-anonymous-sudan"
+        ]
+      },
+      "uuid": "8ca38564-5515-45f5-9f3b-a4091546e10b",
+      "value": "Anonymous Sudan"
    }
  ],
-  "version": 262
+  "version": 263
 }