From 2567d6f1f8f4415b7ce8198e051f2c13ec1d0cd0 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 1 Mar 2023 14:51:29 -0800 Subject: [PATCH 01/10] [threat-actors] Add TA406 --- clusters/threat-actor.json | 39 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9e230a81..b33e8090 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10286,6 +10286,45 @@ }, "uuid": "85f20141-1c8e-49ac-b963-eaa1fb1f4018", "value": "DEV-0147" + }, + { + "description": "TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.", + "meta": { + "cfr-suspected-victims": [ + "China", + "France", + "Germany", + "India", + "Japan", + "North America", + "Russia", + "South Africa", + "South Korea", + "United Kingdom" + ], + "cfr-target-category": [ + "Government", + "Journalists", + "NGOs" + ], + "country": "KR", + "references": [ + "https://www.bleepingcomputer.com/news/security/north-korean-cyberspies-target-govt-officials-with-custom-malware/", + "https://siliconangle.com/2021/11/18/north-korean-cybercriminal-group-ta406-escalates-attacks-2021/", + "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals" + ] + }, + "related": [ + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "part-of" + } + ], + "uuid": "89f005f9-22e9-4c50-9b48-e94c521266e5", + "value": "TA406" } ], "version": 260 From 3406ad3aa9ff8001dd7ccaf5358cc1855b100258 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 1 Mar 2023 15:15:45 -0800 Subject: [PATCH 02/10] [threat-actors] Add APT42 --- clusters/threat-actor.json | 49 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b33e8090..33d669ab 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10309,8 +10309,6 @@ ], "country": "KR", "references": [ - "https://www.bleepingcomputer.com/news/security/north-korean-cyberspies-target-govt-officials-with-custom-malware/", - "https://siliconangle.com/2021/11/18/north-korean-cybercriminal-group-ta406-escalates-attacks-2021/", "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals" ] }, @@ -10325,6 +10323,53 @@ ], "uuid": "89f005f9-22e9-4c50-9b48-e94c521266e5", "value": "TA406" + }, + { + "description": "Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.", + "meta": { + "attribution-confidence": "50", + "cfr-suspected-victims": [ + "Australia", + "Europe", + "Middle East", + "US" + ], + "cfr-target-category": [ + "Education", + "Government", + "Healthcare", + "Legal", + "Manufacturing", + "Media", + "NGOs", + "Pharmaceuticals" + ], + "country": "IR", + "references": [ + "https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises" + ], + "synonyms": [ + "UNC788" + ] + }, + "related": [ + { + "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "35f887ad-6709-4d0b-8e9c-6b3fa09c783f", + "value": "APT42" } ], "version": 260 From bff978e4d16930850d45af93824cf1307fc9685a Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 1 Mar 2023 15:24:55 -0800 Subject: [PATCH 03/10] [threat-actors] Add TA453 --- clusters/threat-actor.json | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 33d669ab..8d236d22 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10370,6 +10370,41 @@ ], "uuid": "35f887ad-6709-4d0b-8e9c-6b3fa09c783f", "value": "APT42" + }, + { + "description": "TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.", + "meta": { + "country": "IR", + "references": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations", + "https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" + ] + }, + "related": [ + { + "dest-uuid": "35f887ad-6709-4d0b-8e9c-6b3fa09c783f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "c1d44f44-425e-48fd-b78b-84b988da8bc3", + "value": "TA453" } ], "version": 260 From fa57354471a5d09a35da5bec56341404a756fed0 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 1 Mar 2023 15:40:23 -0800 Subject: [PATCH 04/10] [threat-actors] Add Chamelgang --- clusters/threat-actor.json | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8d236d22..98be953d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10405,6 +10405,44 @@ ], "uuid": "c1d44f44-425e-48fd-b78b-84b988da8bc3", "value": "TA453" + }, + { + "description": "In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word \"chameleon\"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.", + "meta": { + "cfr-suspected-victims": [ + "India", + "Japan", + "Nepal", + "Russia", + "Taiwan", + "US" + ], + "cfr-target-category": [ + "Aviation", + "Energy" + ], + "references": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/" + ] + }, + "related": [ + { + "dest-uuid": "b91e1d34-cabd-404f-84d2-51a4f9840ffb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "eafdd27f-a3e2-4bb1-ae03-bf9ca5ff0355", + "value": "Chamelgang" } ], "version": 260 From 7d371b4c80f0088c2c5588e2dd6192739420dc5d Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 1 Mar 2023 15:45:41 -0800 Subject: [PATCH 05/10] [threat-actors] Add CYBORG SPIDER alias to GOCLD BURLAP --- clusters/threat-actor.json | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 98be953d..5c45eee7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8468,10 +8468,33 @@ { "description": "GOLD BURLAP is a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza. Pysa is a cross-platform ransomware with known versions written in C++ and Python. As of December 2020, approximately 50 organizations had reportedly been targeted in Pysa ransomware attacks. The operators leverage 'name and shame' tactics to apply additional pressure to victims. As of January 2021, CTU researchers had found no Pysa advertisements on underground forums, which likely indicates that it is not operated as ransomware as a service (RaaS).", "meta": { + "cfr-target-category": [ + "Healthcare" + ], "refs": [ - "http://www.secureworks.com/research/threat-profiles/gold-burlap" + "http://www.secureworks.com/research/threat-profiles/gold-burlap", + "https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf" + ], + "synonyms": [ + "CYBORG SPIDER" ] }, + "related": [ + { + "dest-uuid": "68a7ca8e-2902-43f2-ad23-a77b4c48221d", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "588fb91d-59c6-4667-b299-94676d48b17b", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "uses" + } + ], "uuid": "d34ca487-1613-4ee5-8930-2ac8a60f945f", "value": "GOLD BURLAP" }, From 84faa3c92b32b0d3ddfff1e0fdf3243dde764870 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 1 Mar 2023 16:33:31 -0800 Subject: [PATCH 06/10] [threat-actors] Add Karakurt --- clusters/threat-actor.json | 45 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5c45eee7..b0cf0aa8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10466,6 +10466,51 @@ ], "uuid": "eafdd27f-a3e2-4bb1-ae03-bf9ca5ff0355", "value": "Chamelgang" + }, + { + "description": "Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.", + "meta": { + "cfr-suspected-victims": [ + "Canada", + "Germany", + "United Kingdom", + "United States" + ], + "cfr-type-of-incident": "Extortion", + "references": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation" + ], + "synonyms": [ + "Karakurt Lair" + ] + }, + "related": [ + { + "dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "588fb91d-59c6-4667-b299-94676d48b17b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d71d21e-68f0-4595-beee-7c353471463d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "035fbd5c-e4a1-4c7b-80fb-f5a89a361aed", + "value": "Karakurt" } ], "version": 260 From 61cb24a3fc2641d1e3035e58908243b8d0c0e45f Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 1 Mar 2023 16:37:42 -0800 Subject: [PATCH 07/10] [threat-actors] Add Nemesis Kitten --- clusters/threat-actor.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b0cf0aa8..256840e3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10511,6 +10511,29 @@ ], "uuid": "035fbd5c-e4a1-4c7b-80fb-f5a89a361aed", "value": "Karakurt" + }, + { + "description": "Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.", + "meta": { + "country": "IR", + "references": [ + "https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/" + ], + "synonyms": [ + "Nemesis Kitten" + ] + }, + "related": [ + { + "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "part-of" + } + ], + "uuid": "7b90319a-9f7b-466d-9f90-7fcc270ed505", + "value": "DEV-0270" } ], "version": 260 From 4bbee8c1e7228e2896a3207c02e7d6376d0cbdc9 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 2 Mar 2023 10:19:24 -0800 Subject: [PATCH 08/10] [threat-actors] Add PROPHET SPIDER --- clusters/threat-actor.json | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 256840e3..d31bc4ba 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10534,6 +10534,34 @@ ], "uuid": "7b90319a-9f7b-466d-9f90-7fcc270ed505", "value": "DEV-0270" + }, + { + "description": "PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.", + "meta": { + "country": "", + "references": [ + "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", + "https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/" + ] + }, + "related": [ + { + "dest-uuid": "cd84bc53-8684-4921-89c7-2cf49512bf61", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b5814e05-532a-4262-a8da-82fd0d7605ee", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "eb0b100c-8a4e-4859-b6f8-eebd66c3d20c", + "value": "Prophet Spider" } ], "version": 260 From e1407c3c3fda30ea760a097f40db753d809970bf Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 2 Mar 2023 10:29:29 -0800 Subject: [PATCH 09/10] [threat-actors] Add SLIPPY SPIDER alias to LAPSUS --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d31bc4ba..45914d9a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8895,11 +8895,13 @@ "meta": { "refs": [ "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", - "https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/" + "https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/", + "https://www.crowdstrike.com/adversaries/slippy-spider/" ], "synonyms": [ "LAPSUS$", - "DEV-0537" + "DEV-0537", + "SLIPPY SPIDER" ] }, "uuid": "d9e5be22-1a04-4956-af6c-37af02330980", From 395ffda94f89898542be09e2e116028b0549fe77 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 2 Mar 2023 10:29:52 -0800 Subject: [PATCH 10/10] [threat-actors] bump version --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 45914d9a..0da6af50 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10566,5 +10566,5 @@ "value": "Prophet Spider" } ], - "version": 260 + "version": 261 }