Skip to content

Commit

Permalink
Merge pull request #922 from Mathieu4141/threat-actors/133b2e2d-4948-…
Browse files Browse the repository at this point in the history 
…4361-a9c5-d1798d1b7f4e

[threat actors] Add some missing Proofpoint aliases
  • Loading branch information
@adulau
adulau authored Feb 5, 2024
2 parents ca366fc + ffeed34 commit 9bd5c32
Showing 1 changed file with 78 additions and 17 deletions.
95 changes: 78 additions & 17 deletions clusters/threat-actor.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1035,7 +1035,8 @@
"https://unit42.paloaltonetworks.com/atoms/granite-taurus",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new"
],
"synonyms": [
"STONE PANDAD",
Expand All @@ -1049,7 +1050,8 @@
"BRONZE RIVERSIDE",
"ATK41",
"G0045",
"Granite Taurus"
"Granite Taurus",
"TA429"
]
},
"related": [
Expand Down Expand Up @@ -1945,7 +1947,8 @@
"COBALT TRINITY",
"G0064",
"ATK35",
"Peach Sandstorm"
"Peach Sandstorm",
"TA451"
],
"victimology": "Petrochemical, Aerospace, Saudi Arabia"
},
Expand Down Expand Up @@ -3214,7 +3217,8 @@
"https://attack.mitre.org/groups/G0082",
"https://attack.mitre.org/groups/G0032",
"https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/",
"https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds"
"https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds",
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists"
],
"synonyms": [
"Operation DarkSeoul",
Expand Down Expand Up @@ -3252,7 +3256,9 @@
"Diamond Sleet",
"ZINC",
"Sapphire Sleet",
"COPERNICIUM"
"COPERNICIUM",
"TA404",
"Lazarus group"
]
},
"related": [
Expand Down Expand Up @@ -4022,7 +4028,8 @@
"G0049",
"Evasive Serpens",
"Hazel Sandstorm",
"EUROPIUM"
"EUROPIUM",
"TA452"
],
"targeted-sector": [
"Chemical",
Expand Down Expand Up @@ -6200,7 +6207,8 @@
"https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/",
"https://attack.mitre.org/groups/G0069/",
"http://www.secureworks.com/research/threat-profiles/cobalt-ulster",
"https://unit42.paloaltonetworks.com/atoms/boggyserpens/"
"https://unit42.paloaltonetworks.com/atoms/boggyserpens/",
"https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/"
],
"synonyms": [
"TEMP.Zagros",
Expand All @@ -6211,7 +6219,8 @@
"G0069",
"ATK51",
"Boggy Serpens",
"Mango Sandstorm"
"Mango Sandstorm",
"TA450"
]
},
"related": [
Expand Down Expand Up @@ -6957,15 +6966,21 @@
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html"
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html",
"https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader",
"https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european",
"https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/"
],
"synonyms": [
"BRONZE PRESIDENT",
"HoneyMyte",
"Red Lich",
"TEMP.HEX",
"BASIN",
"Earth Preta"
"Earth Preta",
"TA416",
"Stately Taurus",
"LuminousMoth"
]
},
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
Expand Down Expand Up @@ -7613,7 +7628,8 @@
"REMIX KITTEN",
"COBALT HICKMAN",
"G0087",
"Radio Serpens"
"Radio Serpens",
"TA454"
]
},
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
Expand Down Expand Up @@ -7931,12 +7947,15 @@
"https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff",
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian",
"https://www.secureworks.com/research/threat-profiles/cobalt-dickens",
"https://community.riskiq.com/article/44eb0802"
"https://community.riskiq.com/article/44eb0802",
"https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect"
],
"synonyms": [
"COBALT DICKENS",
"Mabna Institute",
"TA407"
"TA407",
"TA4900",
"Yellow Nabu"
]
},
"uuid": "5059b44d-2753-4977-b987-4922f09afe6b",
Expand Down Expand Up @@ -7971,14 +7990,17 @@
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists"
],
"synonyms": [
"ZIRCONIUM",
"JUDGMENT PANDA",
"BRONZE VINEWOOD",
"Red keres",
"Violet Typhoon"
"Violet Typhoon",
"TA412",
"Zirconium"
]
},
"related": [
Expand Down Expand Up @@ -9161,10 +9183,16 @@
"refs": [
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
"https://securelist.com/deathstalker-mercenary-triumvirate/98177/",
"https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/"
"https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/",
"https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector"
],
"synonyms": [
"DeathStalker"
"DeathStalker",
"TA4563",
"EvilNum",
"Jointworm"
]
},
"uuid": "b6f3150f-2240-4c57-9dda-5144c5077058",
Expand Down Expand Up @@ -14728,6 +14756,39 @@
},
"uuid": "2485a9cb-b41c-43bd-8b1c-c64e919c0a4e",
"value": "Storm-1575"
},
{
"description": "Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers. \n\n",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks"
]
},
"uuid": "e9de47f0-3e68-465c-b91e-7a2b7371955c",
"value": "TA2552"
},
{
"description": "TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread"
],
"synonyms": [
"Balikbayan Foxes"
]
},
"uuid": "625c3fb4-16fc-4992-9ff2-4fad869750ac",
"value": "TA2722"
},
{
"description": "In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay. ",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages"
]
},
"uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52",
"value": "TA2719"
}
],
"version": 298
Expand Down

0 comments on commit 9bd5c32

Please sign in to comment.