Tidal Campaigns
Tidal Campaigns Cluster
Authors
| Authors and/or Contributors |
|---|
| Tidal Cyber |
2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
Internal MISP references
UUID 96e367d0-a744-5b63-85ec-595f505248a3 which can be used as unique global reference for 2015 Ukraine Electric Power Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0028 |
| first_seen | 2015-12-01T05:00:00Z |
| last_seen | 2016-01-01T05:00:00Z |
| source | MITRE |
| tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
2016 Ukraine Electric Power Attack
2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.[ESET Industroyer][Dragos Crashoverride 2018]
Internal MISP references
UUID 06197e03-e1c1-56af-ba98-5071f98f91f1 which can be used as unique global reference for 2016 Ukraine Electric Power Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0025 |
| first_seen | 2016-12-01T05:00:00Z |
| last_seen | 2016-12-01T05:00:00Z |
| source | MITRE |
| tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
2022 Ukraine Electric Power Attack
The 2022 Ukraine Electric Power Attack was a Sandworm Team campaign that used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.[Mandiant-Sandworm-Ukraine-2022][Dragos-Sandworm-Ukraine-2022]
Internal MISP references
UUID a79e06d1-df08-5c72-9180-2c373274f889 which can be used as unique global reference for 2022 Ukraine Electric Power Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0034 |
| first_seen | 2022-06-01T04:00:00Z |
| last_seen | 2022-10-01T04:00:00Z |
| source | MITRE |
| tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
2023 Increased Truebot Activity
In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.[U.S. CISA Increased Truebot Activity July 6 2023]
The Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.[U.S. CISA Increased Truebot Activity July 6 2023][Cisco Talos Blog December 08 2022]
Related Vulnerabilities: CVE-2022-31199[U.S. CISA Increased Truebot Activity July 6 2023]
Internal MISP references
UUID 87e14285-b86f-4f50-8d60-85398ba728b1 which can be used as unique global reference for 2023 Increased Truebot Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3003 |
| first_seen | 2022-08-01T00:00:00Z |
| last_seen | 2023-05-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '7cc57262-5081-447e-85a3-31ebb4ab2ae5'] |
2023 Ivanti EPMM APT Vulnerability Exploits
In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.
Ivanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the source report.[U.S. CISA CVE-2023-35078 Exploits]
Related Vulnerabilities: CVE-2023-35078[U.S. CISA CVE-2023-35078 Exploits], CVE-2023-35081[U.S. CISA CVE-2023-35078 Exploits]
Internal MISP references
UUID 33fd2417-0a9c-4748-ab99-0e641ab29fbc which can be used as unique global reference for 2023 Ivanti EPMM APT Vulnerability Exploits in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3007 |
| first_seen | 2023-04-01T00:00:00Z |
| last_seen | 2023-07-28T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['2d80c940-ba2c-4d45-8272-69928953e9eb', '15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '81e948b3-5ec0-4df8-b6e7-1b037b1b2e67', '7551097a-dfdd-426f-aaa2-a2916dd9b873'] |
2023 Zoho ManageEngine APT Exploits
In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.
After gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).[U.S. CISA Zoho Exploits September 7 2023]
In addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the source report.
Related Vulnerabilities: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228[U.S. CISA Zoho Exploits September 7 2023]
Internal MISP references
UUID d25f0485-fdf3-4b85-b2ec-53e98e215d0b which can be used as unique global reference for 2023 Zoho ManageEngine APT Exploits in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3009 |
| first_seen | 2023-01-01T00:00:00Z |
| last_seen | 2023-04-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '7e6ef160-8e4f-4132-bdc4-9991f01c472e', '793f4441-3916-4b3d-a3fd-686a59dc3de2', '532b7819-d407-41e9-9733-0d716b69eb17'] |
AMBERSQUID
AMBERSQUID is a "cloud-native" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.[Sysdig AMBERSQUID September 18 2023]
Internal MISP references
UUID cf42d51a-8002-4f04-a930-21c15115769f which can be used as unique global reference for AMBERSQUID in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3030 |
| first_seen | 2022-05-01T00:00:00Z |
| last_seen | 2023-03-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e5f6e4a-4579-46f7-9997-6923180815dd', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Andariel Espionage Activity
In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.
Andariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.[U.S. CISA Andariel July 25 2024]
Internal MISP references
UUID 458dc371-5dc2-4e6c-8157-3a872dd29726 which can be used as unique global reference for Andariel Espionage Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3048 |
| first_seen | 2021-03-01T00:00:00Z |
| last_seen | 2024-05-30T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['af5e9be5-b86e-47af-91dd-966a5e34a186', '27a117ce-bb19-4f79-9bc2-a851b69c5c50', '6070668f-1cbd-4878-8066-c636d1d8659c', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '4f4744b0-8401-423c-9ed0-3cb2985d9fd3', 'ddfaecd0-bd3e-41ac-85c7-ca2156684343', '0dbed83d-af67-4ce0-a1ee-16f1165fdc0f', '6422a882-7606-4aa3-b994-f917f53c2ada', 'c1b123d2-ce58-4345-8482-d1da27b3c053', 'f166e59e-9877-4102-a39b-fae38df4b790', '6a82d685-3f77-498d-91c3-a759292ec2da', 'a32a757a-9d6b-43ca-ac4b-5f695dd0f110', 'ac70560d-c3e7-4b40-a4d6-a3287e3d952b', '75f62312-a7ee-4534-8c8a-e3b7366a3a4b', '887d1cfe-d0c5-431c-8dce-0e1b9a2505aa', '96eec53f-355c-406c-87ba-18c3be4c69a1', '54fafdbe-1ea0-4f48-99ad-757c8fe50df2', '35b334ec-4169-4898-ab90-487eea7feb69', '4ac4e1b9-2192-47ac-a4d1-3a31aa0f2140', '936a56f5-a4f1-42d8-83b7-c44399ead661', '0d19ceed-28f6-4258-b365-f6e6f296121d', '037cc75c-9683-49db-aaa8-c8142763bb87', 'ff71ed89-8355-4abc-9da4-eb4768a38c9c', '6fade0a3-0c26-4a11-b81e-25d20e38bdd3', '3b54d8a5-580f-43bf-a12d-8e011f953bad', '0f6e72e1-ba8f-4d1d-920d-d8945a4fee59', '7bbc5366-897a-4505-bc68-3a18e3d4cf44', '4cd85398-c33a-4374-9a76-2bbf297cca63', '5ec8231e-70e9-4675-b922-368bcb9e914a', '21c64d34-e52a-42ba-a8c7-85aa82dc0b3f', 'cd9ab9e7-248f-4097-b120-a42834ce0f89', '91ddbeac-b587-4978-a80d-543a5d96cb77', 'b8448700-7ed0-48b8-85f5-ed23e0d9ab97', '12b074b9-6748-4ad7-880f-836cb80587e1', '45f92502-0775-4fc6-8fcd-97b325ea49a9', 'cddb4563-fe90-4c72-be81-6256d175a698', '69f278d7-194f-42d0-8f83-11de9f861264', 'f0c58aa3-5d21-4ade-95a0-b775dde7e8a3', '5f9b1c23-81f8-4aa3-8d97-235302e77eec', 'd842c7ff-e3d3-4534-9ed7-283752f4bbe2', 'ecd84106-2a5b-4d25-854e-b8d1f57f6b75', '7e6ef160-8e4f-4132-bdc4-9991f01c472e', '532b7819-d407-41e9-9733-0d716b69eb17', 'e401022a-36ac-486d-8503-dd531410a927', '173e1480-8d9b-49c5-854d-594dde9740d6', '7551097a-dfdd-426f-aaa2-a2916dd9b873', 'c475ad68-3fdc-4725-8abc-784c56125e96', '08809fa0-61b6-4394-b103-1c4d19a5be16', '4ac8dcde-2665-4066-9ad9-b5572d5f0d28', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
April 2024 FIN7 Malvertising Campaign
Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).[Esentire 5 8 2024]
Internal MISP references
UUID 2b869157-0b66-42fc-8ead-171160412660 which can be used as unique global reference for April 2024 FIN7 Malvertising Campaign in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3038 |
| first_seen | 2024-04-01T00:00:00Z |
| last_seen | 2024-04-30T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
APT28 Cisco Router Exploits
In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.
Actors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.[U.S. CISA APT28 Cisco Routers April 18 2023]
In addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the source report.
Related Vulnerabilities: CVE-2017-6742[U.S. CISA APT28 Cisco Routers April 18 2023]
Internal MISP references
UUID ed8de8c3-03d2-4892-bd74-ccbc9afc3935 which can be used as unique global reference for APT28 Cisco Router Exploits in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3008 |
| first_seen | 2021-01-01T00:00:00Z |
| last_seen | 2021-12-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['f01290d9-7160-44cb-949f-ee4947d04b6f', 'b20e7912-6a8d-46e3-8e13-9a3fc4813852'] |
APT28 Router Compromise Attacks
U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.[U.S. Federal Bureau of Investigation 2 27 2024] According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.[U.S. Justice Department GRU Botnet February 2024]
Internal MISP references
UUID 2514a83a-3516-4d5d-a13c-2b6175989a26 which can be used as unique global reference for APT28 Router Compromise Attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3027 |
| first_seen | 2022-12-01T00:00:00Z |
| last_seen | 2024-01-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['af5e9be5-b86e-47af-91dd-966a5e34a186', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'a98d7a43-f227-478e-81de-e7299639a355', '916ea1e8-d117-45a4-8564-0597a02b06e4', 'b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
APT29 Cloud TTP Evolution
UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.[U.S. CISA APT29 Cloud Access]
Internal MISP references
UUID c1257a02-716f-4477-9eab-c38827418ed2 which can be used as unique global reference for APT29 Cloud TTP Evolution in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3028 |
| first_seen | 2023-02-26T00:00:00Z |
| last_seen | 2024-02-26T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['af5e9be5-b86e-47af-91dd-966a5e34a186', '291c006e-f77a-4c9c-ae7e-084974c0e1eb'] |
APT29 TeamCity Exploits
Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).
In December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.
CVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.
JetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the source report.[U.S. CISA SVR TeamCity Exploits December 2023]
Internal MISP references
UUID 80ae546a-70e5-4427-be1d-e74efc428ffd which can be used as unique global reference for APT29 TeamCity Exploits in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3017 |
| first_seen | 2023-09-01T00:00:00Z |
| last_seen | 2023-12-14T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['08809fa0-61b6-4394-b103-1c4d19a5be16', '4a457eb3-e404-47e5-b349-8b1f743dc657'] |
APT40 Recent Tradecraft
On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.
The advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.[U.S. CISA APT40 July 8 2024]
Internal MISP references
UUID 3db5682a-0b99-4653-b487-bd0d30292a19 which can be used as unique global reference for APT40 Recent Tradecraft in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3047 |
| first_seen | 2022-04-01T00:00:00Z |
| last_seen | 2022-09-30T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['96d58ca1-ab18-4e53-8891-d8ba62a47e5d', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '758c3085-2f79-40a8-ab95-f8a684737927', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '35e694ec-5133-46e3-b7e1-5831867c3b55', '375983b3-6e87-4281-99e2-1561519dd17b', '3ed2343c-a29c-42e2-8259-410381164c6a', 'a46c422c-5dad-49fc-a4ac-169a075a4d9a', '2eeef0b4-08b5-4d25-84f7-25d41fe6305b', '64d3f7d8-30b7-4b03-bee2-a6029672216c', '7e6ef160-8e4f-4132-bdc4-9991f01c472e', 'b20e7912-6a8d-46e3-8e13-9a3fc4813852'] |
APT41 2023-2024 Persistence & Exfiltration Activity (Deprecated)
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "APT41 DUST" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.
In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.[Mandiant APT41 July 18 2024]
Internal MISP references
UUID ea6266fd-50a7-4223-ade3-e60c3467f540 which can be used as unique global reference for APT41 2023-2024 Persistence & Exfiltration Activity (Deprecated) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3049 |
| first_seen | 2023-03-21T00:00:00Z |
| last_seen | 2024-07-16T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[Google Cloud APT41 2024]
Internal MISP references
UUID b90adbbd-0fe3-5c5f-9433-543a5f01b0ae which can be used as unique global reference for APT41 DUST in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0040 |
| first_seen | 2023-01-31T23:00:00Z |
| last_seen | 2024-06-30T22:00:00Z |
| source | MITRE |
ArcaneDoor
ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[Cisco Talos ArcaneDoor April 24 2024]
Researchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[Wired ArcaneDoor April 24 2024] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[Cisco Talos ArcaneDoor April 24 2024]
Internal MISP references
UUID ccc6401a-b79f-424b-8617-3c2d55475584 which can be used as unique global reference for ArcaneDoor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3036 |
| first_seen | 2023-11-01T00:00:00Z |
| last_seen | 2024-02-29T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['a159c91c-5258-49ea-af7d-e803008d97d3', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', '6bb2f579-a5cd-4647-9dcd-eff05efe3679', 'c25f341a-7030-4688-a00b-6d637298e52e', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '2e85babc-77cd-4455-9c6e-312223a956de', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3'] |
AWS Data Theft & Ransom Attack
This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.[Www.invictus-ir.com 1 11 2024]
Internal MISP references
UUID 9779935d-e316-4482-bec8-3d0704a26dc0 which can be used as unique global reference for AWS Data Theft & Ransom Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3034 |
| first_seen | 2024-01-01T00:00:00Z |
| last_seen | 2024-01-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e5f6e4a-4579-46f7-9997-6923180815dd', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
AWS Fargate Cryptojacking Activity
Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.[Datadog ECS January 19 2024]
Internal MISP references
UUID a94a5919-953e-4607-aaa4-dfccf6d938b5 which can be used as unique global reference for AWS Fargate Cryptojacking Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3031 |
| first_seen | 2023-12-01T00:00:00Z |
| last_seen | 2024-01-19T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e5f6e4a-4579-46f7-9997-6923180815dd', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
AWS Lambda Credential Theft & Phishing Attack
This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.[Unit 42 12 8 2022]
Internal MISP references
UUID 64bddb9e-8bb4-481e-851a-0ddd7ba34615 which can be used as unique global reference for AWS Lambda Credential Theft & Phishing Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3032 |
| first_seen | 2022-05-20T00:00:00Z |
| last_seen | 2022-05-20T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e5f6e4a-4579-46f7-9997-6923180815dd', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Black Basta Operator Social Engineering Campaign
Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.[Rapid7 Blog 5 10 2024][Microsoft Security Blog 5 15 2024]
Internal MISP references
UUID b6ce227e-7240-4591-a8b9-641822c1f9f4 which can be used as unique global reference for Black Basta Operator Social Engineering Campaign in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3037 |
| first_seen | 2024-04-15T00:00:00Z |
| last_seen | 2024-05-15T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Bumblebee Distribution Campaigns 2023-24
This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.
Internal MISP references
UUID 0e3a0fa7-78eb-4820-9881-d62b04fe6f92 which can be used as unique global reference for Bumblebee Distribution Campaigns 2023-24 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3025 |
| first_seen | 2023-03-01T00:00:00Z |
| last_seen | 2024-02-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
C0010
C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. C0010 began by at least late 2020, and was still ongoing as of mid-2022.[Mandiant UNC3890 Aug 2022]
Internal MISP references
UUID a1e33caf-6eb0-442f-b97a-f6042f21df48 which can be used as unique global reference for C0010 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0010 |
| first_seen | 2020-12-01T07:00:00Z |
| last_seen | 2022-08-01T06:00:00Z |
| source | MITRE |
C0011
C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from Transparent Tribe's historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.[Cisco Talos Transparent Tribe Education Campaign July 2022]
Internal MISP references
UUID 4c7386a7-9741-4ae4-8ad9-def03ed77e29 which can be used as unique global reference for C0011 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0011 |
| first_seen | 2021-12-01T06:00:00Z |
| last_seen | 2022-07-01T05:00:00Z |
| source | MITRE |
C0015
C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[DFIR Conti Bazar Nov 2021]
Internal MISP references
UUID 85bbff82-ba0c-4193-a3b5-985afd5690c5 which can be used as unique global reference for C0015 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0015 |
| first_seen | 2021-08-01T05:00:00Z |
| last_seen | 2021-08-01T05:00:00Z |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
C0017
C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[Mandiant APT41]
Internal MISP references
UUID a56d7700-c015-52ca-9c52-fed4d122c100 which can be used as unique global reference for C0017 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0017 |
| first_seen | 2021-05-01T04:00:00Z |
| last_seen | 2022-02-01T05:00:00Z |
| source | MITRE |
| tags | ['a98d7a43-f227-478e-81de-e7299639a355'] |
C0018
C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[Costa AvosLocker May 2022][Cisco Talos Avos Jun 2022]
Internal MISP references
UUID 0452e367-aaa4-5a18-8028-a7ee136fe646 which can be used as unique global reference for C0018 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0018 |
| first_seen | 2022-02-01T05:00:00Z |
| last_seen | 2022-03-01T05:00:00Z |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
C0021
C0021 was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. C0021's technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected APT29 activity.[Microsoft Unidentified Dec 2018][FireEye APT29 Nov 2018]
Internal MISP references
UUID 86bed8da-4cab-55fe-a2d0-9214db1a09cf which can be used as unique global reference for C0021 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0021 |
| first_seen | 2018-11-01T05:00:00Z |
| last_seen | 2018-11-01T05:00:00Z |
| source | MITRE |
C0026
C0026 was a campaign identified in September 2022 that included the selective distribution of KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA malware victims in Ukraine through re-registered ANDROMEDA C2 domains. Several tools and tactics used during C0026 were consistent with historic Turla operations.[Mandiant Suspected Turla Campaign February 2023]
Internal MISP references
UUID 41f283a1-b2ac-547d-98d5-ff907afd08c7 which can be used as unique global reference for C0026 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0026 |
| first_seen | 2022-08-01T05:00:00Z |
| last_seen | 2022-09-01T04:00:00Z |
| source | MITRE |
C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[Crowdstrike TELCO BPO Campaign December 2022]
Internal MISP references
UUID a9719584-4f52-5a5d-b0f7-1059e715c2b8 which can be used as unique global reference for C0027 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0027 |
| first_seen | 2022-06-01T04:00:00Z |
| last_seen | 2022-12-01T05:00:00Z |
| source | MITRE |
C0032
C0032 was an extended campaign suspected to involve the Triton adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the Triton Safety Instrumented System Attack.[FireEye TRITON 2019]
Internal MISP references
UUID c26b3156-8472-5b87-971f-41a7a4702268 which can be used as unique global reference for C0032 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0032 |
| first_seen | 2014-10-01T04:00:00Z |
| last_seen | 2017-01-01T05:00:00Z |
| source | MITRE |
C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[welivesec_strongpity]
Internal MISP references
UUID c5d35d8d-fe96-5210-bb57-4692081a25a9 which can be used as unique global reference for C0033 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0033 |
| first_seen | 2016-05-01T07:00:00Z |
| last_seen | 2023-01-01T08:00:00Z |
| source | MITRE |
Citrine Sleet Chromium Zero-Day Exploit Activity (CVE-2024-7971)
Actors associated with the North Korean threat group Citrine Sleet were observed exploiting a zero-day vulnerability (CVE-2024-7971) in Chromium web browser software to achieve remote code execution in target environments. Actors were observed delivering FudModule, an advanced rootkit tool, during the attacks.[Microsoft Security Blog August 30 2024]
Internal MISP references
UUID 3ecdd876-7e93-4877-9032-49170c65a864 which can be used as unique global reference for Citrine Sleet Chromium Zero-Day Exploit Activity (CVE-2024-7971) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3055 |
| first_seen | 2024-08-19T00:00:00Z |
| last_seen | 2024-08-30T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['a38ef717-4427-4aa0-9666-bb97c6ff45f3', 'b9c973c9-062d-4cbd-8bfe-98d0b4e547eb', 'a98d7a43-f227-478e-81de-e7299639a355', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Citrine Sleet Cryptocurrency Industry Attack
Microsoft researchers observed threat actors, believed to be members of the Citrine Sleet aka DEV-0139 group, launch an apparently targeted attack against an organization in the cryptocurrency industry.[Microsoft DEV-0139 December 6 2022]
Internal MISP references
UUID dd4f230d-198b-45d5-b0f9-55ee725cd836 which can be used as unique global reference for Citrine Sleet Cryptocurrency Industry Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3056 |
| first_seen | 2024-06-18T00:00:00Z |
| last_seen | 2022-10-19T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Clop MOVEit Transfer Vulnerability Exploitation
In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to "CL0P Ransomware Gang, also known as TA505", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see "widespread exploitation of unpatched software services in both private and public networks".[U.S. CISA CL0P CVE-2023-34362 Exploitation] Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.[Progress Software MOVEit Transfer Critical Vulnerability]
Related Vulnerabilities: CVE-2023-34362[U.S. CISA CL0P CVE-2023-34362 Exploitation]
Internal MISP references
UUID f20c935b-e0c5-4941-b710-73cf06dd2b4a which can be used as unique global reference for Clop MOVEit Transfer Vulnerability Exploitation in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3005 |
| first_seen | 2023-05-27T00:00:00Z |
| last_seen | 2023-06-16T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', 'a98d7a43-f227-478e-81de-e7299639a355', '173e1480-8d9b-49c5-854d-594dde9740d6'] |
Cloudflare Thanksgiving 2023 security incident
This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.
Internal MISP references
UUID bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4 which can be used as unique global reference for Cloudflare Thanksgiving 2023 security incident in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3022 |
| first_seen | 2023-11-14T00:00:00Z |
| last_seen | 2023-11-24T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['fe28cf32-a15c-44cf-892c-faa0360d6109', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Corona Mirai Botnet Zero-Day Exploit Campaign
Actors deploying a variant of the Mirai botnet, known as Corona, were observed exploiting a zero-day vulnerability (CVE-2024-7029) to achieve initial infection of new devices with the botnet. The vulnerability enables remote code execution on affected devices (AVTECH closed-circuit television (CCTV) cameras), which actors abused to ingress their main payloads.[Akamai Corona Zero-Day August 28 2024]
Internal MISP references
UUID 4f1823b1-80ad-4f5d-ba04-a4d4baf37e72 which can be used as unique global reference for Corona Mirai Botnet Zero-Day Exploit Campaign in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3051 |
| first_seen | 2024-03-18T00:00:00Z |
| last_seen | 2024-08-28T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['55cb344a-cbd5-4fd1-a1e9-30bbc956527e', 'f925e659-1120-4b76-92b6-071a7fb757d6', '06236145-e9d6-461c-b7e4-284b3de5f561', 'a98d7a43-f227-478e-81de-e7299639a355', '33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
CostaRicto
CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[BlackBerry CostaRicto November 2020]
Internal MISP references
UUID fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48 which can be used as unique global reference for CostaRicto in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0004 |
| first_seen | 2019-10-01T04:00:00Z |
| last_seen | 2020-11-01T04:00:00Z |
| source | MITRE |
Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[Mandiant Cutting Edge January 2024][Volexity Ivanti Zero-Day Exploitation January 2024][Volexity Ivanti Global Exploitation January 2024][Mandiant Cutting Edge Part 2 January 2024][Mandiant Cutting Edge Part 3 February 2024]
Internal MISP references
UUID 4e605e33-57fe-5bb2-b0ad-ec146aac041b which can be used as unique global reference for Cutting Edge in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0029 |
| first_seen | 2023-12-01T05:00:00Z |
| last_seen | 2024-02-01T05:00:00Z |
| source | MITRE |
| tags | ['fe984a01-910d-4e39-9c49-179aa03f75ab', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'd1ab6bd6-2688-4e54-a1d3-d180bb8fd41a', '1ff4614e-0ee6-4e04-921d-61abba7fcdb7', 'e00b65fc-8f56-4a9e-9f09-ccf3124a3272'] |
DangerDev AWS Attack
This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an "accidentally exposed long term access key belonging to an IAM user". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.[Www.invictus-ir.com 1 31 2024]
Internal MISP references
UUID 8ee9d9f1-9906-4f0d-a4a7-0e6ed1aa4069 which can be used as unique global reference for DangerDev AWS Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3033 |
| first_seen | 2024-01-01T00:00:00Z |
| last_seen | 2024-01-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['2e5f6e4a-4579-46f7-9997-6923180815dd'] |
Defense Sector Supply Chain Compromise by North Korea-Linked Actors
German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.[BfV North Korea February 17 2024]
Internal MISP references
UUID 1a2caf4c-658d-4117-a912-55f4d6bca899 which can be used as unique global reference for Defense Sector Supply Chain Compromise by North Korea-Linked Actors in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3026 |
| first_seen | 2022-12-01T00:00:00Z |
| last_seen | 2022-12-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', 'e7ea1f6d-59f2-40c1-bbfe-835dedf033ee'] |
Emmenhtal Loader Distribution Activity
Security researchers observed consistent adversary use of Web Distributed Authoring and Versioning (WebDAV) technology to host malicious files related to Emmenhtal (aka PeakLight), a stealthy loader malware that was then used to ingress various final malicious payloads, including DarkGate, Amadey, and SelfAU3.[Sekoia.io Blog September 19 2024]
Internal MISP references
UUID 0ca317da-c8d6-4bd5-8c1e-5d581c9095ce which can be used as unique global reference for Emmenhtal Loader Distribution Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3060 |
| first_seen | 2023-12-01T00:00:00Z |
| last_seen | 2024-09-19T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['61085b71-eb19-46d8-a9e6-1ab9d2f3c08d', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
FamousSparrow/GhostEmperor Vulnerability Exploit and Post-Compromise Activity
ESET researchers observed cyberespionage activity that they linked to the FamousSparrow group, where actors used ProxyLogon and other vulnerability exploits to compromise hotel, legal, and other organizations worldwide and install a backdoor dubbed SparrowDoor, among other post-exploit tools.[ESET FamousSparrow September 23 2021]
At a similar time, Kaspersky researchers reported activity they linked to the GhostEmperor group, where ProxyLogon was also exploited and similar post-exploit tools were deployed, as well as a rootkit dubbed Demodex. The researchers further indicated that one of the command and control servers identified during their investigation correlated to the FamousSparrow activity that ESET had reported.[Kaspersky September 30 2021]
Internal MISP references
UUID 7fa02214-cd06-480d-af2d-5943be14c6bd which can be used as unique global reference for FamousSparrow/GhostEmperor Vulnerability Exploit and Post-Compromise Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3064 |
| first_seen | 2021-03-03T00:00:00Z |
| last_seen | 2021-03-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['915e7ac2-b266-45d7-945c-cb04327d6246', 'e499005b-adba-45bb-85e3-07043fd9edf9', '8b1cb0dc-dd3e-44ba-828c-55c040e93b93', '5f5e40cd-0732-4eb4-a083-06940623c3f9', '15f2277a-a17e-4d85-8acd-480bf84f16b4', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
FIN12 March 2023 Hospital Center Intrusion
In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.
The actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.
Additional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the source report.[CERTFR-2023-CTI-007]
Related Vulnerabilities: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[CERTFR-2023-CTI-007]
Internal MISP references
UUID 129ffe04-ea90-45d1-a2fd-7ff0bffa0433 which can be used as unique global reference for FIN12 March 2023 Hospital Center Intrusion in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3010 |
| first_seen | 2023-03-01T00:00:00Z |
| last_seen | 2023-03-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '2743d495-7728-4a75-9e5f-b64854039792', 'ecd84106-2a5b-4d25-854e-b8d1f57f6b75', 'a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530', '4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', 'd385b541-4033-48df-93cd-237ca6e46f36'] |
FortiManager Zero-Day Exploit Activity (CVE-2024-47575)
This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.
Internal MISP references
UUID 50a2fbb8-e92e-4033-9dfc-d6b47aaab22d which can be used as unique global reference for FortiManager Zero-Day Exploit Activity (CVE-2024-47575) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3066 |
| first_seen | 2024-06-27T00:00:00Z |
| last_seen | 2024-10-23T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['ef7715f8-526a-4df5-bad3-74b66170a52b', 'a98d7a43-f227-478e-81de-e7299639a355', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Frankenstein
Frankenstein was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including Empire. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[Talos Frankenstein June 2019]
Internal MISP references
UUID 2fab9878-8aae-445a-86db-6b47b473f56b which can be used as unique global reference for Frankenstein in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0001 |
| first_seen | 2019-01-01T06:00:00Z |
| last_seen | 2019-04-01T05:00:00Z |
| source | MITRE |
FunnyDream
FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[Bitdefender FunnyDream Campaign November 2020][Kaspersky APT Trends Q1 2020][Recorded Future Chinese Activity in Southeast Asia December 2021]
Internal MISP references
UUID 94587edf-0292-445b-8c66-b16629597f1e which can be used as unique global reference for FunnyDream in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0007 |
| first_seen | 2018-07-01T05:00:00Z |
| last_seen | 2020-11-01T04:00:00Z |
| source | MITRE |
GhostEmperor/Demodex 2023 Compromise
In July 2024, Sygnia researchers reported about what they described as an "updated infection chain" used to deploy a variant of the Demodex rootkit, associated with the GhostEmperor (AKA FamousSparrow and Salt Typhoon) China-backed cyberespionage group. The attacks, which were discovered at an unspecified time in "late 2023", featured malware loading and obfuscation methods distinct from those observed during previous GhostEmperor activity in 2021.[Sygnia July 17 2024]
Internal MISP references
UUID c1447188-c034-408e-a827-55314c698827 which can be used as unique global reference for GhostEmperor/Demodex 2023 Compromise in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3065 |
| first_seen | 2023-12-01T00:00:00Z |
| last_seen | 2023-12-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Healthcare Social Engineering & Payment Diversion Activity
U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.
Actors then used "living off the land" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.[FBI Social Engineering Attacks June 24 2024]
Internal MISP references
UUID 1610257c-e2fc-4b05-bd63-5c2cbfb2342e which can be used as unique global reference for Healthcare Social Engineering & Payment Diversion Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3042 |
| first_seen | 2023-08-01T00:00:00Z |
| last_seen | 2024-06-24T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c'] |
HomeLand Justice
HomeLand Justice was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for HomeLand Justice was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the "HomeLand Justice" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.[Mandiant ROADSWEEP August 2022][Microsoft Albanian Government Attacks September 2022][CISA Iran Albanian Attacks September 2022] A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[CISA Iran Albanian Attacks September 2022]
Internal MISP references
UUID 04329c95-d792-5333-b5bc-13ef2c545d7b which can be used as unique global reference for HomeLand Justice in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0038 |
| first_seen | 2021-05-01T04:00:00Z |
| last_seen | 2022-09-01T04:00:00Z |
| source | MITRE |
| tags | ['e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee'] |
HPE Midnight Blizzard Office 365 Email Exfiltration
This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.
Internal MISP references
UUID d1244338-85dd-4650-989a-9df8020860b9 which can be used as unique global reference for HPE Midnight Blizzard Office 365 Email Exfiltration in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3021 |
| first_seen | 2023-05-01T00:00:00Z |
| last_seen | 2023-12-12T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '15f2277a-a17e-4d85-8acd-480bf84f16b4', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Iranian APT Credential Harvesting & Cryptomining Activity
In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.
Additional details, including incident response guidance and relevant mitigations, can be found in the source report.[U.S. CISA Advisory November 25 2022]
Related Vulnerabilities: CVE-2021-44228[U.S. CISA Advisory November 25 2022]
Internal MISP references
UUID 7d6ff40d-51f3-42f8-b986-e7421f59b4bd which can be used as unique global reference for Iranian APT Credential Harvesting & Cryptomining Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3012 |
| first_seen | 2022-06-15T00:00:00Z |
| last_seen | 2022-07-15T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '7e6ef160-8e4f-4132-bdc4-9991f01c472e'] |
Iranian APT Targeting U.S. Voter Data
In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.[U.S. CISA Iran Voter Data November 3 2020]
Internal MISP references
UUID 18cf25b5-ed3a-40f6-bf0a-a3938a4f8da2 which can be used as unique global reference for Iranian APT Targeting U.S. Voter Data in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3014 |
| first_seen | 2020-09-20T00:00:00Z |
| last_seen | 2020-10-20T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
Iranian Cyber Actors Compromise Critical Infrastructure Organizations
On October 16, 2024, U.S., Canadian, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA24-290A, which detailed attacks by unspecified "Iranian cyber actors", who used brute forcing and other credential access techniques to compromise various critical infrastructure entities, including organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The advisory indicated that the actors likely carried out the attacks in order to ultimately sell harvested credentials and victim network information "to enable access to cybercriminals".[U.S. CISA Iranian Actors Critical Infrastructure October 16 2024]
Internal MISP references
UUID 3b15979c-eabf-41d1-8930-f480106f8430 which can be used as unique global reference for Iranian Cyber Actors Compromise Critical Infrastructure Organizations in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3063 |
| first_seen | 2023-10-01T00:00:00Z |
| last_seen | 2024-02-07T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['51006447-540b-4b9d-bdba-1cbff8038ae9', '35e694ec-5133-46e3-b7e1-5831867c3b55', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', '15787198-6c8b-4f79-bf50-258d55072fee', '89c5b94b-ecf4-4d53-9b74-3465086d4565', '291c006e-f77a-4c9c-ae7e-084974c0e1eb', '15f2277a-a17e-4d85-8acd-480bf84f16b4', 'c9c73000-30a5-4a16-8c8b-79169f9c24aa'] |
Iranian IRGC Data Extortion Operations
In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.
The actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.
In addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports here and here.
Related Vulnerabilities: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105[U.S. CISA IRGC Actors September 14 2022], CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591[U.S. CISA Iranian Government Actors November 19 2021]
Internal MISP references
UUID 338c6497-2b13-4c2b-bd45-d8b636c35cac which can be used as unique global reference for Iranian IRGC Data Extortion Operations in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3013 |
| first_seen | 2021-03-01T00:00:00Z |
| last_seen | 2022-09-14T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['3ed2343c-a29c-42e2-8259-410381164c6a', '375983b3-6e87-4281-99e2-1561519dd17b', '64d3f7d8-30b7-4b03-bee2-a6029672216c', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '15787198-6c8b-4f79-bf50-258d55072fee', 'd84be7c9-c652-4a43-a79e-ef0fa2318c58', '1423b5a8-cff3-48d5-a0a2-09b3afc9f195', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'fde4c246-7d2d-4d53-938b-44651cf273f1', 'c3779a84-8132-4c62-be2f-9312ad41c273', 'c035da8e-f96c-4793-885d-45017d825596', '7e6ef160-8e4f-4132-bdc4-9991f01c472e', 'd713747c-2d53-487e-9dac-259230f04460', '964c2590-4b52-48c6-afff-9a6d72e68908'] |
Ivanti Gateway Vulnerability Exploits (Deprecated)
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Cutting Edge" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.
This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.
Internal MISP references
UUID c2544d1d-3c99-4601-86fe-8b62020aaffc which can be used as unique global reference for Ivanti Gateway Vulnerability Exploits (Deprecated) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C5017 |
| first_seen | 2023-12-01T00:00:00Z |
| last_seen | 2024-02-29T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['fe984a01-910d-4e39-9c49-179aa03f75ab', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'd1ab6bd6-2688-4e54-a1d3-d180bb8fd41a', '1ff4614e-0ee6-4e04-921d-61abba7fcdb7', 'e00b65fc-8f56-4a9e-9f09-ccf3124a3272'] |
JOKERSPY Intrusion
JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.[elastic.co 6 21 2023]
Internal MISP references
UUID c44d9a29-3025-40b3-8c12-45390597cc0f which can be used as unique global reference for JOKERSPY Intrusion in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3035 |
| first_seen | 2023-05-31T00:00:00Z |
| last_seen | 2023-06-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
June 2023 Citrix Vulnerability Exploitation
In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller ("ADC") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.[U.S. CISA CVE-2023-3519 Exploits] Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.[Citrix Bulletin CVE-2023-3519]
After achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory ("AD"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.[U.S. CISA CVE-2023-3519 Exploits] Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is "consistent with previous operations by China-nexus actors".[Mandiant CVE-2023-3519 Exploitation]
Related Vulnerabilities: CVE-2023-3519[U.S. CISA CVE-2023-3519 Exploits]
Internal MISP references
UUID 86e3565d-93dc-40e5-8f84-20d1c15b8e9d which can be used as unique global reference for June 2023 Citrix Vulnerability Exploitation in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3004 |
| first_seen | 2023-06-01T00:00:00Z |
| last_seen | 2023-06-30T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['fe984a01-910d-4e39-9c49-179aa03f75ab', 'a98d7a43-f227-478e-81de-e7299639a355', 'c475ad68-3fdc-4725-8abc-784c56125e96'] |
KV Botnet Activity
KV Botnet Activity consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[Lumen KVBotnet 2023] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[DOJ KVBotnet 2024]
Internal MISP references
UUID c0c1054c-46f0-5221-9e7c-9907fe224947 which can be used as unique global reference for KV Botnet Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0035 |
| first_seen | 2022-10-01T04:00:00Z |
| last_seen | 2024-01-01T05:00:00Z |
| source | MITRE |
| tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852'] |
LockBit Affiliate Citrix Bleed Exploits
In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.
Citrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.
After successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the source report.[U.S. CISA LockBit Citrix Bleed November 21 2023] Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.[Malwarebytes Citrix Bleed November 24 2023][Cybernews Yanfeng Qilin November 2023]
Internal MISP references
UUID f4225d6a-8734-401f-aa2a-1a73c23b16e6 which can be used as unique global reference for LockBit Affiliate Citrix Bleed Exploits in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3016 |
| first_seen | 2023-08-01T00:00:00Z |
| last_seen | 2023-11-16T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
MacroPack Payload Delivery Activity
Researchers discovered the existence of a newly identified red teaming framework used to generate attack payloads, called "MacroPack". The framework was used to deploy the Brute Ratel and Havoc post-exploitation frameworks and the PhantomCore remote access trojan. In addition to red teaming applications, researchers assessed that MacroPack is also being abused by threat actors.[Cisco Talos Blog September 3 2024]
Internal MISP references
UUID 2229e945-ec3d-4e20-ad4a-bd12741a6724 which can be used as unique global reference for MacroPack Payload Delivery Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3052 |
| first_seen | 2024-05-01T00:00:00Z |
| last_seen | 2024-07-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
May 2023 Exfiltration & Wiper Activity (Truebot + FlawedGrace + MBR Killer)
The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.[The DFIR Report Truebot June 12 2023]
Internal MISP references
UUID f74885c3-c39b-4db4-ab4f-2990929450a2 which can be used as unique global reference for May 2023 Exfiltration & Wiper Activity (Truebot + FlawedGrace + MBR Killer) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3002 |
| first_seen | 2023-05-01T00:00:00Z |
| last_seen | 2023-05-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Microsoft Midnight Blizzard Breach
This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.
Internal MISP references
UUID 4c01ad48-6a09-462a-abf4-24ba0a4cea56 which can be used as unique global reference for Microsoft Midnight Blizzard Breach in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3023 |
| first_seen | 2023-11-30T00:00:00Z |
| last_seen | 2024-01-12T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '15f2277a-a17e-4d85-8acd-480bf84f16b4', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Molerats 2021 Backdoor Delivery Campaign
Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.[Zscaler Molerats Campaign]
Internal MISP references
UUID f1922702-2c16-496e-9d21-f32fc9c6daee which can be used as unique global reference for Molerats 2021 Backdoor Delivery Campaign in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3011 |
| first_seen | 2021-07-01T00:00:00Z |
| last_seen | 2021-12-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Moonstone Sleet Operations (Deprecated)
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Moonstone Sleet" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.
This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.[Microsoft Security Blog 5 28 2024]
Internal MISP references
UUID 6e63729b-6483-4a87-923c-2de179a32f17 which can be used as unique global reference for Moonstone Sleet Operations (Deprecated) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3039 |
| first_seen | 2023-08-01T00:00:00Z |
| last_seen | 2024-05-28T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[McAfee Night Dragon]
Internal MISP references
UUID 85f136b3-d5a3-4c4c-a37c-40e4418dc989 which can be used as unique global reference for Night Dragon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0002 |
| first_seen | 2009-11-01T04:00:00Z |
| last_seen | 2011-02-01T05:00:00Z |
| source | MITRE |
Okta Customer Support Security Incident
According to details published by Okta Security, threat actors gained unauthorized access to Okta’s customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.
After gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers’ names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.[Okta HAR Files Incident Notice][Okta HAR Files RCA][Okta HAR Files Incident Update]
Internal MISP references
UUID a11d1575-5487-41cd-83b5-1601aa9d5487 which can be used as unique global reference for Okta Customer Support Security Incident in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3018 |
| first_seen | 2023-09-28T00:00:00Z |
| last_seen | 2023-10-17T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['fe28cf32-a15c-44cf-892c-faa0360d6109', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Operation Bearded Barbie
"Operation Bearded Barbie" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially "high-profile" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.[Cybereason Operation Bearded Barbie April 5 2022]
Internal MISP references
UUID 0496e076-1813-4f51-86e6-8f551983e8f8 which can be used as unique global reference for Operation Bearded Barbie in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3015 |
| first_seen | 2022-03-01T00:00:00Z |
| last_seen | 2022-04-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Operation CuckooBees
Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[Cybereason OperationCuckooBees May 2022]
Internal MISP references
UUID 81bf4e45-f0d3-4fec-a9d4-1259cf8542a1 which can be used as unique global reference for Operation CuckooBees in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0012 |
| first_seen | 2019-12-01T07:00:00Z |
| last_seen | 2022-05-01T06:00:00Z |
| source | MITRE |
Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[ClearSky Lazarus Aug 2020][McAfee Lazarus Jul 2020][ESET Lazarus Jun 2020][The Hacker News Lazarus Aug 2022]
Internal MISP references
UUID 9a94e646-cbe5-54a1-8bf6-70ef745e641b which can be used as unique global reference for Operation Dream Job in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0022 |
| first_seen | 2019-09-01T04:00:00Z |
| last_seen | 2020-08-01T04:00:00Z |
| source | MITRE |
Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[Cylance Dust Storm]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[Cylance Dust Storm]
Internal MISP references
UUID af0c0f55-dc4f-4cb5-9350-3a2d7c07595f which can be used as unique global reference for Operation Dust Storm in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0016 |
| first_seen | 2010-01-01T07:00:00Z |
| last_seen | 2016-02-01T06:00:00Z |
| source | MITRE |
Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[ESET Dukes October 2019]
Internal MISP references
UUID 1fcfe949-5f96-578e-86ad-069ba123c867 which can be used as unique global reference for Operation Ghost in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0023 |
| first_seen | 2013-09-01T04:00:00Z |
| last_seen | 2019-10-01T04:00:00Z |
| source | MITRE |
Operation Honeybee
Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[McAfee Honeybee]
Internal MISP references
UUID f741ed36-2d52-40ae-bbdc-70722f4071c7 which can be used as unique global reference for Operation Honeybee in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0006 |
| first_seen | 2017-08-01T05:00:00Z |
| last_seen | 2018-02-01T06:00:00Z |
| source | MITRE |
Operation In(ter)ception
Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.[SentinelOne 9 26 2022]
Internal MISP references
UUID 9637ff1e-803e-47f7-b808-f4d1ef6fd500 which can be used as unique global reference for Operation In(ter)ception in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3040 |
| first_seen | 2019-12-01T00:00:00Z |
| last_seen | 2022-09-26T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Operation Sharpshooter
Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous Lazarus Group operations, including fake job recruitment lures and shared malware code.[McAfee Sharpshooter December 2018][Bleeping Computer Op Sharpshooter March 2019][Threatpost New Op Sharpshooter Data March 2019]
Internal MISP references
UUID 57e858c8-fd0b-4382-a178-0165d03aa8a9 which can be used as unique global reference for Operation Sharpshooter in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0013 |
| first_seen | 2017-09-01T05:00:00Z |
| last_seen | 2019-03-01T06:00:00Z |
| source | MITRE |
Operation Spalax
Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The Operation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to APT-C-36, however identified enough differences to report this as separate, unattributed activity.[ESET Operation Spalax Jan 2021]
Internal MISP references
UUID 98d3a8ac-6af9-4471-83f6-e880ca70261f which can be used as unique global reference for Operation Spalax in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0005 |
| first_seen | 2019-11-01T05:00:00Z |
| last_seen | 2021-01-01T06:00:00Z |
| source | MITRE |
Operation Wocao
Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[FoxIT Wocao December 2019]
Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[FoxIT Wocao December 2019]
Internal MISP references
UUID 56e4e10f-8c8c-4b7c-8355-7ed89af181be which can be used as unique global reference for Operation Wocao in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0014 |
| first_seen | 2017-12-01T05:00:00Z |
| last_seen | 2019-12-01T05:00:00Z |
| source | MITRE |
PaperCut Vulnerability Exploitation
In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.[PaperCut MF/NG vulnerability bulletin] According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.[U.S. CISA PaperCut May 2023]
CVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the "Education Facilities Subsector" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.[U.S. CISA PaperCut May 2023]
The Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the source report.
Related Vulnerabilities: CVE-2023-27350[U.S. CISA PaperCut May 2023]
Internal MISP references
UUID 38443d11-135a-47ac-909f-fa34744bc3a5 which can be used as unique global reference for PaperCut Vulnerability Exploitation in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3006 |
| first_seen | 2023-04-15T00:00:00Z |
| last_seen | 2023-05-30T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '992bdd33-4a47-495d-883a-58010a2f0efb'] |
Pikabot Distribution Campaigns 2023
Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).
This is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)[Malwarebytes Pikabot December 15 2023][Unit42 Malware Roundup December 29 2023]; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.[Trend Micro Pikabot January 9 2024]
Internal MISP references
UUID 71f6d3b1-c45e-421c-99cb-3b695647cf0b which can be used as unique global reference for Pikabot Distribution Campaigns 2023 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3019 |
| first_seen | 2023-02-01T00:00:00Z |
| last_seen | 2023-12-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
Pikabot Distribution February 2024
Pikabot was distributed in Pikabot Distribution February 2024 using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of Pikabot distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.[Elastic Pikabot 2024][Zscaler Pikabot 2024]
Internal MISP references
UUID 6e6fa0e4-18b3-5700-803d-b821dcdcd787 which can be used as unique global reference for Pikabot Distribution February 2024 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0036 |
| first_seen | 2024-02-01T05:00:00Z |
| last_seen | 2024-02-01T05:00:00Z |
| source | MITRE |
PowerShell User Execution Social Engineering Campaign (TA571, ClearFake, ClickFix)
Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.
Initial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.[Proofpoint June 17 2024][BleepingComputer Fake Chrome Errors June 17 2024]
Internal MISP references
UUID 9864ed5a-0633-4c04-85f1-728d3ff37e82 which can be used as unique global reference for PowerShell User Execution Social Engineering Campaign (TA571, ClearFake, ClickFix) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3045 |
| first_seen | 2024-03-01T00:00:00Z |
| last_seen | 2024-06-07T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
QakBot January 2024 Campaign
A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.[K7 QakBot Returns January 4 2024]
Internal MISP references
UUID 6292123a-3d7e-4e8e-8ff0-daa7868433b7 which can be used as unique global reference for QakBot January 2024 Campaign in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3020 |
| first_seen | 2023-12-11T00:00:00Z |
| last_seen | 2024-01-04T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'e809d252-12cc-494d-94f5-954c49eb87ce', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Quantum Ransomware Compromise
Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as "one of the fastest ransomware cases" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.[The DFIR Report April 25 2022]
Internal MISP references
UUID a9bef150-04e6-41f2-9f94-069f9912f5e3 which can be used as unique global reference for Quantum Ransomware Compromise in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3043 |
| first_seen | 2022-04-01T00:00:00Z |
| last_seen | 2022-04-25T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Russian SVR Cyber Operations and Vulnerability Exploitation Activity
On October 10, 2024, U.S. cybersecurity authorities and international patners released a joint Cybersecurity Advisory (JCSA-20241010-001), which detailed TTPs used by Russian Foreign Intelligence Service (SVR) actors (aka APT29, Midnight Blizzard, et al) during "recent" cyber operations. The advisory highlighted the variety of initial access and post-exploitation TTPs leveraged by SVR actors in both targeted and broad-based campaigns, and it also spotlighted that these actors have the "capability and interest" to exploit a relatively long list of publicly disclosed vulnerabilities, which are tagged to this object.[FBI SVR Update October 10 2024]
Internal MISP references
UUID 246d56a6-141c-4d60-a346-538e44fac1c9 which can be used as unique global reference for Russian SVR Cyber Operations and Vulnerability Exploitation Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3062 |
| first_seen | 2021-01-01T00:00:00Z |
| last_seen | 2024-10-10T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['af5e9be5-b86e-47af-91dd-966a5e34a186', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '154bd6f0-9276-4ea5-946c-d35769d3ae4b', '1ee3e55f-8f28-43c4-9f01-8a1bad68bd56', '082b6886-9f4a-4237-82e4-827f6bab704e', '7d158419-2d50-4688-aa4f-3b68a4d30870', '5c7a911d-9f28-4f13-a6aa-c7a2e2b3ca55', '46404b24-e38a-4fea-981b-cac3d3020c8b', '9a0df3c4-2bbf-4192-a08a-ec27d9a4c5f1', 'e676e31d-d1d4-4a83-afa9-acf58be4f92a', '49478e42-38e9-417c-9cf9-7f2c5d41bfa8', 'b7ad8591-fbff-46ec-8f4a-33f569cce2f9', '5ef89937-dd06-4407-91d2-61db30c75934', '72d3fa15-265b-4f4c-ba77-635d8531fe69', '5bd6e9f7-78e3-4a8b-8734-c8c45b61a76d', 'b3665c87-5cb3-414e-8910-d4ffe53371c2', 'd1596bb2-b947-419a-b1f0-8f38e28eae09', '49a674f7-c117-422e-8057-67bdfab2de9c', 'a4240ea5-b7d4-40a0-afbd-76fcf2e4ebbc', 'f97e406e-0d4b-4927-af03-8113a720417f', '1b0321d7-4d9a-4977-bd2a-092c2693b328', 'cccb02c5-9791-4cb4-8fe8-0c5a6aea7dcf', '15b77e5c-2285-434d-9719-73c14beba8bd', '08809fa0-61b6-4394-b103-1c4d19a5be16', '7551097a-dfdd-426f-aaa2-a2916dd9b873', 'a32a757a-9d6b-43ca-ac4b-5f695dd0f110', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871'] |
Scattered Spider TTP Evolution - SaaS Targeting
Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.[Google Cloud June 13 2024]
Notable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).
Internal MISP references
UUID 43f29c00-437f-43f3-8d69-052a06f1a2eb which can be used as unique global reference for Scattered Spider TTP Evolution - SaaS Targeting in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3041 |
| first_seen | 2023-08-13T00:00:00Z |
| last_seen | 2024-06-13T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['fe28cf32-a15c-44cf-892c-faa0360d6109', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
ScreenConnect Vulnerability Exploit Attacks
This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka "SlashAndGrab"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.
Further background & contextual details can be found in the References tab below.
Internal MISP references
UUID 365150b8-94ed-4d43-895e-fb07d0a8a7cd which can be used as unique global reference for ScreenConnect Vulnerability Exploit Attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3024 |
| first_seen | 2024-02-19T00:00:00Z |
| last_seen | 2024-02-23T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[CrowdStrike StellarParticle January 2022] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[SolarWinds Advisory Dec 2020][SolarWinds Sunburst Sunspot Update January 2021][FireEye SUNBURST Backdoor December 2020][Volexity SolarWinds][CrowdStrike StellarParticle January 2022][Unit 42 SolarStorm December 2020][Microsoft Analyzing Solorigate Dec 2020][Microsoft Internal Solorigate Investigation Blog]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[NSA Joint Advisory SVR SolarWinds April 2021][UK NSCS Russia SolarWinds April 2021][Mandiant UNC2452 APT29 April 2022] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[USG Joint Statement SolarWinds January 2021]
Internal MISP references
UUID 8bde8146-0656-5800-82e6-e24e008e4f4a which can be used as unique global reference for SolarWinds Compromise in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0024 |
| first_seen | 2019-08-01T05:00:00Z |
| last_seen | 2021-01-01T06:00:00Z |
| source | MITRE |
| tags | ['fe28cf32-a15c-44cf-892c-faa0360d6109', 'f2ae2283-f94d-4f8f-bbde-43f2bed66c55'] |
Storm-0501 Hybrid Cloud Compromise
Microsoft researchers observed Storm-0501 actors abusing hybrid user identities and their associated privileges in order to pivot from on-premises to cloud environments in Q3 2024. Storm-0501 is a financially motivated actor that has been known to deploy multiple distinct ransomware families and exfiltrate data for extortion purposes, leveraging the relatively new, Rust-based Embargo ransomware (along with a number of supporting commodity and open-source tools) during the hybrid compromise attack.[Microsoft Security Blog September 26 2024] Mandiant reserachers linked Storm-0501 with an actor group they track as UNC2190, which was observed carrying out ransomware attacks while branded as "54BB47h" (Sabbath) in 2021.[Mandiant Sabbath Ransomware November 29 2021][Tyler McLellan UNC2190 September 26 2024]
Internal MISP references
UUID 96a04dd1-c6e6-4edd-ada4-03171fd15b2d which can be used as unique global reference for Storm-0501 Hybrid Cloud Compromise in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3057 |
| first_seen | 2024-07-17T00:00:00Z |
| last_seen | 2024-09-17T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['ecfc9a06-e970-4310-ac3f-0af98163563b', '1c1a335a-dc30-470d-9539-b09aa87e2f8c', '15b77e5c-2285-434d-9719-73c14beba8bd', '532b7819-d407-41e9-9733-0d716b69eb17', 'c9c73000-30a5-4a16-8c8b-79169f9c24aa', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
TA577 NTLM Credential Theft Attacks
This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.
Internal MISP references
UUID 55fe6e08-96df-41a0-bfa9-555c6b4ce623 which can be used as unique global reference for TA577 NTLM Credential Theft Attacks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3029 |
| first_seen | 2024-02-26T00:00:00Z |
| last_seen | 2024-02-27T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Triton Safety Instrumented System Attack
Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[Triton-EENews-2017] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[FireEye TRITON 2018] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[FireEye TRITON 2017]
Internal MISP references
UUID 6c7185e1-bd46-5a80-9a76-a376b16fbc7b which can be used as unique global reference for Triton Safety Instrumented System Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0030 |
| first_seen | 2017-06-01T04:00:00Z |
| last_seen | 2017-08-01T04:00:00Z |
| source | MITRE |
| tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
UNC2190 2021 Ransomware Activity
Mandiant researchers observed UNC2190, an actor group now linked to Storm-0501, deploying evasive, in-memory-only ransomware in 2021 while branded as the "54BB47h" (Sabbath) ransomware gang. The group had previously branded its operations as Eruption and Arcane. UNC2190 was seen targeting organizations in the education, health, and natural resources sectors in the United States and Canada from June through at least October 2021.[Mandiant Sabbath Ransomware November 29 2021]
Internal MISP references
UUID 1a9e2500-a1aa-4001-8bb4-9d7ebca60d47 which can be used as unique global reference for UNC2190 2021 Ransomware Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3058 |
| first_seen | 2021-06-01T00:00:00Z |
| last_seen | 2021-10-26T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Unit 29155 Russian Military Cyber Activity
On September 5, 2024, international authorities published joint Cybersecurity Advisory AA24-249A, which detailed recent activity linked to cyber actors affiliated with the 161st Specialist Training Center (aka Unit 29155) of the Russian General Staff Main Intelligence Directorate (GRU), the foreign military intelligence agency of Russia's armed forces. The advisory highlighted Unit 29155 espionage, sabotage, and reputational cyber attacks carried out against targets around the world since 2020.
While Unit 29155 had been previously linked to influence, interference, and physical sabotage operations, the advisory noted how the group has expanded its tradecraft to now include offensive cyber operations. The advisory indicated that several groups tracked by the cybersecurity community relate to Unit 29155 cyber actors but may not be directly synonyms with all parts of the Unit (or each other), including: Cadet Blizzard, DEV-0586, Ember Bear, Bleeding Bear, Frozenvista, UNC2589, and UAC-0056.[U.S. CISA Unit 29155 September 5 2024]
Internal MISP references
UUID 5e1bc9d2-1f2e-4ba3-b6b8-8d4e1f635762 which can be used as unique global reference for Unit 29155 Russian Military Cyber Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3053 |
| first_seen | 2020-08-03T00:00:00Z |
| last_seen | 2024-09-05T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5b8371c5-1173-4496-82c7-5f0433987e77', 'f18e6c1d-d2ee-4eda-8172-67dcbc4e59ed', '9e4936f0-e3b7-4721-a638-58b2d093b2f2', '1281067e-4a7e-4003-acf8-e436105bf395', '7c67d99a-fc8a-4463-8f46-45e9a39fe6b0', 'fe28cf32-a15c-44cf-892c-faa0360d6109', '15f2277a-a17e-4d85-8acd-480bf84f16b4'] |
Velvet Ant Cisco Network Switches Exploit Activity (CVE-2024-20399)
Researchers observed suspected "China-nexus" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute "previously unknown custom malware" on the devices' operating systems. Researchers first observed "zero-day" exploit activity in the wild at an undisclosed point "during the past year", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.
The vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances "are often not sufficiently protected and monitored". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.[The Hacker News Velvet Ant Cisco July 2 2024][Sygnia Velvet Ant July 1 2024]
Internal MISP references
UUID bcf6bb5b-443f-4adb-ab6b-f864ea27614d which can be used as unique global reference for Velvet Ant Cisco Network Switches Exploit Activity (CVE-2024-20399) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3046 |
| first_seen | 2023-07-01T00:00:00Z |
| last_seen | 2024-07-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['72bc70fa-3979-4d3b-a0e9-b9ebebcf2a38', 'a98d7a43-f227-478e-81de-e7299639a355', 'a159c91c-5258-49ea-af7d-e803008d97d3', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Velvet Ant F5 BIG-IP Espionage Activity
This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected "China-nexus" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network – residing and remaining active there for around three years – notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.[Sygnia Velvet Ant June 17 2024][BleepingComputer Velvet Ant June 17 2024]
Internal MISP references
UUID b78565ce-8eec-49ad-b762-8d2107fa9ce7 which can be used as unique global reference for Velvet Ant F5 BIG-IP Espionage Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3044 |
| first_seen | 2020-12-01T00:00:00Z |
| last_seen | 2023-12-01T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['a159c91c-5258-49ea-af7d-e803008d97d3', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploitation was followed by the delivery of the VersaMem web shell for both credential theft and follow-on code execution.[Lumen Versa 2024]
Internal MISP references
UUID e28a09b7-885f-5556-b56e-7ad3e0581ac0 which can be used as unique global reference for Versa Director Zero Day Exploitation in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0039 |
| first_seen | 2024-06-01T06:00:00Z |
| last_seen | 2024-08-01T06:00:00Z |
| source | MITRE |
| tags | ['a98d7a43-f227-478e-81de-e7299639a355', '712d4124-8860-488a-a780-2938f9df6313'] |
Void Banshee Zero-Day Exploit Activity
Void Banshee is an advanced persistent threat (APT) group identified by Trend Micro researchers, which is known to target victims in North America, Europe, and Southeast Asia for information theft and financial gain. In May 2024, researchers observed Void Banshee actors exploiting CVE-2024-38112, a remote code execution vulnerability in the "MSHTML" web browser software component. The vulnerability had not been previously disclosed, so the campaign was characterized as "zero-day" exploit activity. Actors delivered the Atlantida infostealer malware during the observed attacks.[Trend Micro Void Banshee July 15 2024]
Later, researchers noted that Void Banshee also exploited a separate MSHTML-related vulnerability, CVE-2024-43461, as a zero-day during attacks culminating in Atlantida infostealer deployments.[BleepingComputer Void Banshee September 16 2024]
Internal MISP references
UUID dbe34d5d-91b0-4a50-98c7-4e36ba0bcda6 which can be used as unique global reference for Void Banshee Zero-Day Exploit Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3054 |
| first_seen | 2024-05-15T00:00:00Z |
| last_seen | 2024-07-15T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['0281a78d-1eb1-4e10-9327-2032928e37d9', 'ff8a2e10-4bf7-45f0-954c-8847fdcb9612', 'a98d7a43-f227-478e-81de-e7299639a355', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Voldemort Malware Delivery Campaign
This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.
Internal MISP references
UUID e740e392-98cb-428a-ab92-b0a4d1d546b7 which can be used as unique global reference for Voldemort Malware Delivery Campaign in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3050 |
| first_seen | 2024-08-05T00:00:00Z |
| last_seen | 2024-08-29T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['fe28cf32-a15c-44cf-892c-faa0360d6109', '82009876-294a-4e06-8cfc-3236a429bda4', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Volt Typhoon Versa Director Zero-Day Exploitation (CVE-2024-39717) (Deprecated)
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Versa Director Zero Day Exploitation" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.
This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.
Internal MISP references
UUID 553feab0-28a8-4a0f-a4a9-2aac6aa11c56 which can be used as unique global reference for Volt Typhoon Versa Director Zero-Day Exploitation (CVE-2024-39717) (Deprecated) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3067 |
| first_seen | 2024-06-12T00:00:00Z |
| last_seen | 2024-07-15T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['a98d7a43-f227-478e-81de-e7299639a355', '712d4124-8860-488a-a780-2938f9df6313', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Water Curupira Pikabot Distribution
Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[TrendMicro Pikabot 2024]
Internal MISP references
UUID 5b6d5717-676d-5e8b-a2a3-2717c62f6450 which can be used as unique global reference for Water Curupira Pikabot Distribution in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C0037 |
| first_seen | 2023-01-01T05:00:00Z |
| last_seen | 2023-12-01T05:00:00Z |
| source | MITRE |
WebDAV Malware Delivery Activity
Security researchers observed adversaries using Web Distributed Authoring and Versioning (WebDAV) remote file management technology - hosted via free, development/testing-focused Cloudflare servers - to deliver various malware payloads, including AsyncRAT, XWorm, VenomRAT, and the PureLogs infostealer. One infection involved an unspecified organization in the government sector.[Esentire July 31 2024]
Internal MISP references
UUID 635edcc0-f8af-4b61-85ba-2589df9f3c58 which can be used as unique global reference for WebDAV Malware Delivery Activity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3059 |
| first_seen | 2024-07-01T00:00:00Z |
| last_seen | 2024-07-31T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['61085b71-eb19-46d8-a9e6-1ab9d2f3c08d', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Windows SmartScreen Bypass (CVE-2024-21412) DarkGate Campaign
Researchers observed a campaign that used phishing communications to trick victims into clicking links that would redirect them to compromised websites hosting a zero-day vulnerability exploit to bypass Microsoft Windows SmartScreen security technology (CVE-2024-21412). The exploit activity involved additional redirect activity, including via internet shortcut files hosted on an adversary WebDAV server. The attacks culminated in delivery of the DarkGate loader/remote access trojan.[Trend Micro March 13 2024]
Internal MISP references
UUID 22265193-4c7d-4edb-8e4e-727dcefd0a09 which can be used as unique global reference for Windows SmartScreen Bypass (CVE-2024-21412) DarkGate Campaign in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3061 |
| first_seen | 2024-01-15T00:00:00Z |
| last_seen | 2024-02-13T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['5187cea7-601f-4829-8b41-306044200b64', 'a98d7a43-f227-478e-81de-e7299639a355', '61085b71-eb19-46d8-a9e6-1ab9d2f3c08d', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
Zloader & Ursnif Affiliate Campaign 2020-22
A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.[WeLiveSecurity April 19 2022]
Internal MISP references
UUID 396e073e-76d7-4fcf-97b4-9343d0a0b819 which can be used as unique global reference for Zloader & Ursnif Affiliate Campaign 2020-22 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| campaign_attack_id | C3001 |
| first_seen | 2020-10-01T00:00:00Z |
| last_seen | 2022-04-13T00:00:00Z |
| owner | TidalCyberIan |
| source | Tidal Cyber |
| tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ebec1bf0-e06c-48b2-adeb-fc0669306bc8', '39357cc1-dbb1-49e4-9fe0-ff24032b94d5', 'e7681e16-9106-4d0a-a915-9958989161a3', '2feda37d-5579-4102-a073-aa02e82cb49f'] |