MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #533 from r0ny123/MergingTA 

fix
pull/534/head
Alexandre Dulaunoy 2020-04-20 07:59:30 +02:00 committed by GitHub
parent 74ea81f2b6 aa34775390
commit f0257aed12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 56 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
clusters/threat-actor.json
View File

@ -50,7 +50,7 @@
"https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/",
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf",
"https://www.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://attack.mitre.org/groups/G0006/",
"https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html"
],
@ -100,7 +100,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf",
"https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/"
],
@ -118,7 +118,6 @@
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
"http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf",
"http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/",
"https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html",
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
@ -160,7 +159,7 @@
"meta": {
"refs": [
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf",
"https://www.symantec.com/connect/blogs/inside-back-door-attack",
"https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack",
"https://attack.mitre.org/groups/G0031/"
]
},
@ -336,7 +335,7 @@
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://www.cfr.org/interactive/cyber-operations/apt-3"
],
"synonyms": [
@ -504,11 +503,11 @@
"country": "CN",
"refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-17",
"https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/",
"https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
"https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
"https://www.recordedfuture.com/hidden-lynx-analysis/"
],
"synonyms": [
@ -608,26 +607,6 @@
"uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
"value": "Wekby"
},
{
"description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
"https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"https://blog.lookout.com/titan-mobile-threat",
"https://attack.mitre.org/groups/G0081/"
],
"synonyms": [
"Operation Tropic Trooper",
"Operation TropicTrooper",
"TropicTrooper"
]
},
"uuid": "4fd409a9-db86-46a5-bdf2-b6c8ee397a89",
"value": "Tropic Trooper"
},
{
"description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'",
"meta": {
@ -760,7 +739,7 @@
"https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/",
"https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695",
"https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/",
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
"https://attack.mitre.org/groups/G0009/"
],
"synonyms": [
@ -1490,7 +1469,7 @@
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/sneaky-panda",
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf",
"https://attack.mitre.org/groups/G0066/"
],
"synonyms": [
@ -1668,18 +1647,27 @@
"value": "Temper Panda"
},
{
"description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
"http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
"https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"https://blog.lookout.com/titan-mobile-threat",
"https://attack.mitre.org/groups/G0081/"
],
"synonyms": [
"APT23",
"APT 23",
"KeyBoy"
"KeyBoy",
"TropicTrooper",
"Tropic Trooper"
]
},
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
@ -1994,7 +1982,7 @@
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
"https://www.brighttalk.com/webcast/10703/275683",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage"
],
"synonyms": [
"APT 33",
@ -2072,7 +2060,7 @@
"http://www.clearskysec.com/thamar-reservoir/",
"https://citizenlab.ca/2015/08/iran_two_factor_phishing/",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
"https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
"https://en.wikipedia.org/wiki/Rocket_Kitten",
"https://www.cfr.org/interactive/cyber-operations/rocket-kitten"
@ -2377,7 +2365,7 @@
"https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf",
"https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware",
"https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/",
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
"https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
@ -2564,7 +2552,7 @@
"https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
"https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
"https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec",
"https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
@ -2641,7 +2629,7 @@
"country": "RU",
"refs": [
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
"https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
"https://www.cfr.org/interactive/cyber-operations/crouching-yeti",
@ -2649,7 +2637,7 @@
"https://dragos.com/wp-content/uploads/CrashOverride-01.pdf",
"https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html",
"https://www.riskiq.com/blog/labs/energetic-bear/",
"https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
"https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
"https://attack.mitre.org/groups/G0035/",
@ -2706,7 +2694,7 @@
"https://www.us-cert.gov/ncas/alerts/TA17-163A",
"https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid",
"https://www.cfr.org/interactive/cyber-operations/black-energy",
"https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/",
"https://attack.mitre.org/groups/G0034/"
@ -2808,7 +2796,7 @@
"https://en.wikipedia.org/wiki/Carbanak",
"https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe",
"http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf",
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
"https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor",
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/",
@ -2906,7 +2894,7 @@
"refs": [
"https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/",
"https://www.group-ib.com/brochures/gib-buhtrap-report.pdf",
"https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware",
"https://www.kaspersky.com/blog/financial-trojans-2019/25690/",
"https://www.welivesecurity.com/2015/04/09/operation-buhtrap/",
@ -3053,10 +3041,10 @@
"https://content.fireeye.com/apt/rpt-apt38",
"https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/",
"https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack",
"https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise",
"https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise",
"https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html",
"https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov",
"https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war",
"https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov",
"https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/",
"https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/",
@ -3073,13 +3061,13 @@
"https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c",
"https://attack.mitre.org/groups/G0032/",
"https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/",
"https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105",
"https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD",
"https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks",
"https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware",
"https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware",
"https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/",
"https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0",
"https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware",
"https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html",
"https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret",
"https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
@ -3390,7 +3378,7 @@
"cfr-type-of-incident": "Espionage",
"country": "IN",
"refs": [
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign",
"https://www.cymmetria.com/patchwork-targeted-attack/",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf",
@ -3596,7 +3584,7 @@
"refs": [
"https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/",
"https://www.cfr.org/interactive/cyber-operations/project-sauron",
"https://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf",
"https://attack.mitre.org/groups/G0041/"
],
@ -3727,8 +3715,8 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates",
"http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://attack.mitre.org/groups/G0039/"
]
},
@ -3836,9 +3824,9 @@
"https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json",
"https://www.cfr.org/interactive/cyber-operations/oilrig",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/",
"https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
"https://www.symantec.com/connect/blogs/shamoon-attacks",
"https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
"https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://www.clearskysec.com/oilrig/",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
"https://attack.mitre.org/groups/G0049/"
@ -4098,7 +4086,7 @@
"attribution-confidence": "50",
"country": "IR",
"refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
"https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
]
},
"uuid": "03f13462-003c-4296-8784-bccea16710a9",
@ -4110,8 +4098,7 @@
"attribution-confidence": "50",
"country": "IR",
"refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
"https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions"
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions"
]
},
"uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3",
@ -4241,7 +4228,7 @@
"attribution-confidence": "50",
"country": "IR",
"refs": [
"https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
"https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
"https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/",
"https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/",
"https://www.clearskysec.com/greenbug/"
@ -4420,7 +4407,7 @@
"cfr-type-of-incident": "Espionage",
"country": "US",
"refs": [
"https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/",
"https://www.cfr.org/interactive/cyber-operations/longhorn",
"http://blogs.360.cn/post/APT-C-39_CIA_EN.html"
@ -4627,7 +4614,7 @@
"meta": {
"refs": [
"https://dragos.com/blog/20180802Raspite.html",
"https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
"https://attack.mitre.org/groups/G0077/"
],
"since": "2017",
@ -5073,7 +5060,7 @@
"https://www.cfr.org/interactive/cyber-operations/madi",
"https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east",
"https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/",
"https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns"
"https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns"
]
},
"uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2",
@ -6427,7 +6414,10 @@
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework",
"https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit",
"https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf",
"https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/",
"https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
@ -6805,7 +6795,8 @@
"description": "Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.",
"meta": {
"refs": [
"http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html"
"http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html",
"https://cybaze.it/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf"
],
"synonyms": [
"Operation EvilTraffic"
@ -7480,7 +7471,7 @@
"description": "A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP).\nThe vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a shotgun like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.",
"meta": {
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf",
"https://vx-underground.org/papers/luckycat-hackers-12-en.pdf",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf"
]
},