From 07cc6be922de7c0a8d6bdbe9a2c6eee64e4d65b2 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sat, 20 Apr 2024 18:42:27 +0000 Subject: [PATCH 1/4] chg: [threat-actor] UNC3236 removed --- clusters/threat-actor.json | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 76446f7..f2e88ed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15853,27 +15853,6 @@ }, "uuid": "dd0063e0-2d44-4798-9e6d-ef0eaa2c2508", "value": "UNC3569" - }, - { - "meta": { - "refs": [ - "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement" - ], - "synonyms": [ - "Volt Typhoon" - ] - }, - "related": [ - { - "dest-uuid": "b2535333-629d-4cd6-a98b-14c86f6a57ee", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "associated-with" - } - ], - "uuid": "97c6d972-a3af-4a21-94a2-0f5e09c7320e", - "value": "UNC3236" } ], "version": 307 From dd8b317912f8e94fcfbe18e95b021e8ac869793a Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sun, 21 Apr 2024 06:35:56 +0000 Subject: [PATCH 2/4] chg: [threat-actor] `Earth Freybug` added Tracking it seperately for now though TM identified it as subset of APT41 --- clusters/threat-actor.json | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f2e88ed..51dc880 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8723,8 +8723,7 @@ "Earth Baku", "Amoeba", "HOODOO", - "Brass Typhoon", - "Earth Freybug" + "Brass Typhoon" ] }, "related": [ @@ -15853,6 +15852,17 @@ }, "uuid": "dd0063e0-2d44-4798-9e6d-ef0eaa2c2508", "value": "UNC3569" + }, + { + "description": "Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and financially motivated activities across various sectors worldwide. The tactics, techniques, and procedures (TTPs) used in this campaign are similar to the ones from a campaign (Operation CuckooBees) described in an article published by Cybereason. They employ a diverse toolkit, including LOLBins and custom malware, to execute sophisticated cyberespionage attacks. The group's recent tactics involve DLL hijacking and API unhooking through a newly discovered malware named UNAPIMON, which prevents child processes from being monitored. This technique was observed in a vmtoolsd.exe process creating remote tasks to deploy malicious batch files for reconnaissance and backdoor access. UNAPIMON's simplicity and use of Microsoft Detours for defense evasion highlight the group's evolving methods and the need for vigilant security measures, such as restricting admin privileges and adhering to the principle of least privilege. Earth Freybug's persistence and creativity in refining their techniques underscore the ongoing threat they pose and the importance of proactive cybersecurity practices.", + "meta": { + "country": "CN", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html" + ] + }, + "uuid": "c6e2e5ba-ffad-4258-8b6e-775b3fa230c3", + "value": "Earth Freybug" } ], "version": 307 From 3d5c61a8efa90e93b16d8c0aa8839180300d6713 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Fri, 26 Apr 2024 18:56:46 +0000 Subject: [PATCH 3/4] fix: resolve conflict --- clusters/threat-actor.json | 71 +++++++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 51dc880..1cb3880 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15863,7 +15863,76 @@ }, "uuid": "c6e2e5ba-ffad-4258-8b6e-775b3fa230c3", "value": "Earth Freybug" + }, + { + "description": "Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.", + "meta": { + "refs": [ + "https://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html", + "https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web" + ] + }, + "uuid": "0e4ed0ab-87e2-4588-8fc0-3d720e0efebd", + "value": "GhostR" + }, + { + "description": "UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data. They exploit vulnerabilities in firewall devices to move laterally within victim networks, focusing on obtaining domain backup keys and active directory credentials. The actor deploys a custom Python backdoor named UPSTYLE to execute commands and download additional tools. UTA0218 is likely state-backed, utilizing a mix of infrastructure including VPNs and compromised routers to store malicious files.", + "meta": { + "refs": [ + "https://www.enigmasoftware.com/cve20243400vulnerability-removal/", + "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" + ] + }, + "uuid": "ee8b8fc4-59f4-4442-a4e6-3686d09c6509", + "value": "UTA0218" + }, + { + "description": "UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.", + "meta": { + "refs": [ + "https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/", + "https://cert.gov.ua/article/6277849" + ] + }, + "uuid": "f5f6d4eb-1ec3-494e-807d-5b767122f9b2", + "value": "UAC-0149" + }, + { + "description": "ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/" + ] + }, + "uuid": "97a10d3b-5cb5-4df9-856c-515994f3e953", + "value": "ArcaneDoor" + }, + { + "description": "UAT4356 is a state-sponsored threat actor that targeted government networks globally through a campaign named ArcaneDoor. They exploited two zero-day vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware implants called \"Line Runner\" and \"Line Dancer.\" The actor demonstrated a deep understanding of Cisco systems, utilized anti-forensic measures, and took deliberate steps to evade detection. UAT4356's sophisticated attack chain allowed them to conduct malicious actions such as configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement on compromised devices.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/" + ], + "synonyms": [ + "UAT4356" + ] + }, + "uuid": "3d94ef07-9fd6-4d64-bf1e-f1316f2686a4", + "value": "STORM-1849" + }, + { + "description": "USDoD is a threat actor known for leaking large databases of personal information, including from companies like Airbus and the U.S. Environmental Protection Agency. They have a history of engaging in high-profile data breaches, such as exposing data from the FBI's InfraGard program. USDoD has also been involved in web scraping to obtain information from websites like LinkedIn.", + "meta": { + "refs": [ + "https://www.hackread.com/us-environmental-protection-agency-hacked-data-leaked/", + "https://www.cysecurity.news/2023/09/transunion-refutes-data-breach-reports.html", + "https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/", + "https://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/" + ] + }, + "uuid": "d6882fb9-d1e4-4cec-889c-5423c772d199", + "value": "USDoD" } ], - "version": 307 + "version": 308 } From 72402ce38bfc0681b070a25f1337ccae8463241f Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Fri, 26 Apr 2024 19:15:47 +0000 Subject: [PATCH 4/4] chg: [threat-actor] STORM ->> Storm --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1cb3880..25b7ed2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15918,7 +15918,7 @@ ] }, "uuid": "3d94ef07-9fd6-4d64-bf1e-f1316f2686a4", - "value": "STORM-1849" + "value": "Storm-1849" }, { "description": "USDoD is a threat actor known for leaking large databases of personal information, including from companies like Airbus and the U.S. Environmental Protection Agency. They have a history of engaging in high-profile data breaches, such as exposing data from the FBI's InfraGard program. USDoD has also been involved in web scraping to obtain information from websites like LinkedIn.",