Skip to content

Hide Navigation Hide TOC

Edit

Tidal Campaigns

Tidal Campaigns Cluster

Authors
Authors and/or Contributors
Tidal Cyber

2015 Ukraine Electric Power Attack

2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.

Internal MISP references

UUID 96e367d0-a744-5b63-85ec-595f505248a3 which can be used as unique global reference for 2015 Ukraine Electric Power Attack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0028
first_seen 2015-12-01T05:00:00Z
last_seen 2016-01-01T05:00:00Z
source MITRE

2016 Ukraine Electric Power Attack

2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.[ESET Industroyer][Dragos Crashoverride 2018]

Internal MISP references

UUID 06197e03-e1c1-56af-ba98-5071f98f91f1 which can be used as unique global reference for 2016 Ukraine Electric Power Attack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0025
first_seen 2016-12-01T05:00:00Z
last_seen 2016-12-01T05:00:00Z
source MITRE

2022 Ukraine Electric Power Attack

The 2022 Ukraine Electric Power Attack was a Sandworm Team campaign that used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.[Mandiant-Sandworm-Ukraine-2022][Dragos-Sandworm-Ukraine-2022]

Internal MISP references

UUID a79e06d1-df08-5c72-9180-2c373274f889 which can be used as unique global reference for 2022 Ukraine Electric Power Attack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0034
first_seen 2022-06-01T04:00:00Z
last_seen 2022-10-01T04:00:00Z
source MITRE

2023 Increased Truebot Activity

In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.[U.S. CISA Increased Truebot Activity July 6 2023]

The Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.[U.S. CISA Increased Truebot Activity July 6 2023][Cisco Talos Blog December 08 2022]

Related Vulnerabilities: CVE-2022-31199[U.S. CISA Increased Truebot Activity July 6 2023]

Internal MISP references

UUID 87e14285-b86f-4f50-8d60-85398ba728b1 which can be used as unique global reference for 2023 Increased Truebot Activity in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5000
first_seen 2022-08-01T00:00:00Z
last_seen 2023-05-31T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '7cc57262-5081-447e-85a3-31ebb4ab2ae5']

2023 Ivanti EPMM APT Vulnerability Exploits

In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.

Ivanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the source report.[U.S. CISA CVE-2023-35078 Exploits]

Related Vulnerabilities: CVE-2023-35078[U.S. CISA CVE-2023-35078 Exploits], CVE-2023-35081[U.S. CISA CVE-2023-35078 Exploits]

Internal MISP references

UUID 33fd2417-0a9c-4748-ab99-0e641ab29fbc which can be used as unique global reference for 2023 Ivanti EPMM APT Vulnerability Exploits in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5004
first_seen 2023-04-01T00:00:00Z
last_seen 2023-07-28T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['2d80c940-ba2c-4d45-8272-69928953e9eb', '15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '81e948b3-5ec0-4df8-b6e7-1b037b1b2e67', '7551097a-dfdd-426f-aaa2-a2916dd9b873']

2023 Zoho ManageEngine APT Exploits

In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.

After gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).[U.S. CISA Zoho Exploits September 7 2023]

In addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the source report.

Related Vulnerabilities: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228[U.S. CISA Zoho Exploits September 7 2023]

Internal MISP references

UUID d25f0485-fdf3-4b85-b2ec-53e98e215d0b which can be used as unique global reference for 2023 Zoho ManageEngine APT Exploits in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5005
first_seen 2023-01-01T00:00:00Z
last_seen 2023-04-01T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '7e6ef160-8e4f-4132-bdc4-9991f01c472e', '793f4441-3916-4b3d-a3fd-686a59dc3de2', '532b7819-d407-41e9-9733-0d716b69eb17']

APT28 Cisco Router Exploits

In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.

Actors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.[U.S. CISA APT28 Cisco Routers April 18 2023]

In addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the source report.

Related Vulnerabilities: CVE-2017-6742[U.S. CISA APT28 Cisco Routers April 18 2023]

Internal MISP references

UUID ed8de8c3-03d2-4892-bd74-ccbc9afc3935 which can be used as unique global reference for APT28 Cisco Router Exploits in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5007
first_seen 2021-01-01T00:00:00Z
last_seen 2021-12-31T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['f01290d9-7160-44cb-949f-ee4947d04b6f', 'b20e7912-6a8d-46e3-8e13-9a3fc4813852']

APT28 Router Compromise Attacks

U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.[U.S. Federal Bureau of Investigation 2 27 2024] According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.[U.S. Justice Department GRU Botnet February 2024]

Internal MISP references

UUID 2514a83a-3516-4d5d-a13c-2b6175989a26 which can be used as unique global reference for APT28 Router Compromise Attacks in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5015
first_seen 2022-12-01T00:00:00Z
last_seen 2024-01-01T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'a98d7a43-f227-478e-81de-e7299639a355', '916ea1e8-d117-45a4-8564-0597a02b06e4', 'b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'e809d252-12cc-494d-94f5-954c49eb87ce']

APT29 Cloud TTP Evolution

UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.[U.S. CISA APT29 Cloud Access]

Internal MISP references

UUID c1257a02-716f-4477-9eab-c38827418ed2 which can be used as unique global reference for APT29 Cloud TTP Evolution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5016
first_seen 2023-02-26T00:00:00Z
last_seen 2024-02-26T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '291c006e-f77a-4c9c-ae7e-084974c0e1eb']

APT29 TeamCity Exploits

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

In December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.

CVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.

JetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the source report.[U.S. CISA SVR TeamCity Exploits December 2023]

Internal MISP references

UUID 80ae546a-70e5-4427-be1d-e74efc428ffd which can be used as unique global reference for APT29 TeamCity Exploits in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5012
first_seen 2023-09-01T00:00:00Z
last_seen 2023-12-14T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['08809fa0-61b6-4394-b103-1c4d19a5be16', '4a457eb3-e404-47e5-b349-8b1f743dc657']

ArcaneDoor

ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[Cisco Talos ArcaneDoor April 24 2024]

Researchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[Wired ArcaneDoor April 24 2024] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[Cisco Talos ArcaneDoor April 24 2024]

Internal MISP references

UUID ccc6401a-b79f-424b-8617-3c2d55475584 which can be used as unique global reference for ArcaneDoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5019
first_seen 2023-11-01T00:00:00Z
last_seen 2024-02-29T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['a159c91c-5258-49ea-af7d-e803008d97d3', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', '6bb2f579-a5cd-4647-9dcd-eff05efe3679', 'c25f341a-7030-4688-a00b-6d637298e52e', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '2e85babc-77cd-4455-9c6e-312223a956de', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3']

C0010

C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. C0010 began by at least late 2020, and was still ongoing as of mid-2022.[Mandiant UNC3890 Aug 2022]

Internal MISP references

UUID a1e33caf-6eb0-442f-b97a-f6042f21df48 which can be used as unique global reference for C0010 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0010
first_seen 2020-12-01T07:00:00Z
last_seen 2022-08-01T06:00:00Z
source MITRE

C0011

C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from Transparent Tribe's historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.[Cisco Talos Transparent Tribe Education Campaign July 2022]

Internal MISP references

UUID 4c7386a7-9741-4ae4-8ad9-def03ed77e29 which can be used as unique global reference for C0011 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0011
first_seen 2021-12-01T06:00:00Z
last_seen 2022-07-01T05:00:00Z
source MITRE

C0015

C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[DFIR Conti Bazar Nov 2021]

Internal MISP references

UUID 85bbff82-ba0c-4193-a3b5-985afd5690c5 which can be used as unique global reference for C0015 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0015
first_seen 2021-08-01T05:00:00Z
last_seen 2021-08-01T05:00:00Z
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']

C0017

C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[Mandiant APT41]

Internal MISP references

UUID a56d7700-c015-52ca-9c52-fed4d122c100 which can be used as unique global reference for C0017 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0017
first_seen 2021-05-01T04:00:00Z
last_seen 2022-02-01T05:00:00Z
source MITRE
tags ['a98d7a43-f227-478e-81de-e7299639a355']

C0018

C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[Costa AvosLocker May 2022][Cisco Talos Avos Jun 2022]

Internal MISP references

UUID 0452e367-aaa4-5a18-8028-a7ee136fe646 which can be used as unique global reference for C0018 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0018
first_seen 2022-02-01T05:00:00Z
last_seen 2022-03-01T05:00:00Z
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']

C0021

C0021 was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. C0021's technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected APT29 activity.[Microsoft Unidentified Dec 2018][FireEye APT29 Nov 2018]

Internal MISP references

UUID 86bed8da-4cab-55fe-a2d0-9214db1a09cf which can be used as unique global reference for C0021 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0021
first_seen 2018-11-01T05:00:00Z
last_seen 2018-11-01T05:00:00Z
source MITRE

C0026

C0026 was a campaign identified in September 2022 that included the selective distribution of KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA malware victims in Ukraine through re-registered ANDROMEDA C2 domains. Several tools and tactics used during C0026 were consistent with historic Turla operations.[Mandiant Suspected Turla Campaign February 2023]

Internal MISP references

UUID 41f283a1-b2ac-547d-98d5-ff907afd08c7 which can be used as unique global reference for C0026 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0026
first_seen 2022-08-01T05:00:00Z
last_seen 2022-09-01T04:00:00Z
source MITRE

C0027

C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[Crowdstrike TELCO BPO Campaign December 2022]

Internal MISP references

UUID a9719584-4f52-5a5d-b0f7-1059e715c2b8 which can be used as unique global reference for C0027 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0027
first_seen 2022-06-01T04:00:00Z
last_seen 2022-12-01T05:00:00Z
source MITRE

C0032

C0032 was an extended campaign suspected to involve the Triton adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the Triton Safety Instrumented System Attack.[FireEye TRITON 2019]

Internal MISP references

UUID c26b3156-8472-5b87-971f-41a7a4702268 which can be used as unique global reference for C0032 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0032
first_seen 2014-10-01T04:00:00Z
last_seen 2017-01-01T05:00:00Z
source MITRE

C0033

C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[welivesec_strongpity]

Internal MISP references

UUID c5d35d8d-fe96-5210-bb57-4692081a25a9 which can be used as unique global reference for C0033 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0033
first_seen 2016-05-01T07:00:00Z
last_seen 2023-01-01T08:00:00Z
source MITRE

Clop MOVEit Transfer Vulnerability Exploitation

In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to "CL0P Ransomware Gang, also known as TA505", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see "widespread exploitation of unpatched software services in both private and public networks".[U.S. CISA CL0P CVE-2023-34362 Exploitation] Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.[Progress Software MOVEit Transfer Critical Vulnerability]

Related Vulnerabilities: CVE-2023-34362[U.S. CISA CL0P CVE-2023-34362 Exploitation]

Internal MISP references

UUID f20c935b-e0c5-4941-b710-73cf06dd2b4a which can be used as unique global reference for Clop MOVEit Transfer Vulnerability Exploitation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5002
first_seen 2023-05-27T00:00:00Z
last_seen 2023-06-16T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['5e7433ad-a894-4489-93bc-41e90da90019', 'a98d7a43-f227-478e-81de-e7299639a355', '173e1480-8d9b-49c5-854d-594dde9740d6']

CostaRicto

CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[BlackBerry CostaRicto November 2020]

Internal MISP references

UUID fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48 which can be used as unique global reference for CostaRicto in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0004
first_seen 2019-10-01T04:00:00Z
last_seen 2020-11-01T04:00:00Z
source MITRE

Cutting Edge

Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[Mandiant Cutting Edge January 2024][Volexity Ivanti Zero-Day Exploitation January 2024][Volexity Ivanti Global Exploitation January 2024][Mandiant Cutting Edge Part 2 January 2024][Mandiant Cutting Edge Part 3 February 2024]

Internal MISP references

UUID 4e605e33-57fe-5bb2-b0ad-ec146aac041b which can be used as unique global reference for Cutting Edge in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0029
first_seen 2023-12-01T05:00:00Z
last_seen 2024-02-01T05:00:00Z
source MITRE
tags ['9768aada-9d63-4d46-ab9f-d41b8c8e4010', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'd1ab6bd6-2688-4e54-a1d3-d180bb8fd41a', '1ff4614e-0ee6-4e04-921d-61abba7fcdb7', 'e00b65fc-8f56-4a9e-9f09-ccf3124a3272']

Defense Sector Supply Chain Compromise by North Korea-Linked Actors

German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.[BfV North Korea February 17 2024]

Internal MISP references

UUID 1a2caf4c-658d-4117-a912-55f4d6bca899 which can be used as unique global reference for Defense Sector Supply Chain Compromise by North Korea-Linked Actors in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5014
first_seen 2022-12-01T00:00:00Z
last_seen 2022-12-31T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', 'e7ea1f6d-59f2-40c1-bbfe-835dedf033ee']

FIN12 March 2023 Hospital Center Intrusion

In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.

The actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.

Additional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the source report.[CERTFR-2023-CTI-007]

Related Vulnerabilities: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[CERTFR-2023-CTI-007]

Internal MISP references

UUID 129ffe04-ea90-45d1-a2fd-7ff0bffa0433 which can be used as unique global reference for FIN12 March 2023 Hospital Center Intrusion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5006
first_seen 2023-03-01T00:00:00Z
last_seen 2023-03-31T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['2743d495-7728-4a75-9e5f-b64854039792', 'ecd84106-2a5b-4d25-854e-b8d1f57f6b75', 'a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530', '4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', 'd385b541-4033-48df-93cd-237ca6e46f36']

Frankenstein

Frankenstein was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including Empire. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[Talos Frankenstein June 2019]

Internal MISP references

UUID 2fab9878-8aae-445a-86db-6b47b473f56b which can be used as unique global reference for Frankenstein in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0001
first_seen 2019-01-01T06:00:00Z
last_seen 2019-04-01T05:00:00Z
source MITRE

FunnyDream

FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[Bitdefender FunnyDream Campaign November 2020][Kaspersky APT Trends Q1 2020][Recorded Future Chinese Activity in Southeast Asia December 2021]

Internal MISP references

UUID 94587edf-0292-445b-8c66-b16629597f1e which can be used as unique global reference for FunnyDream in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0007
first_seen 2018-07-01T05:00:00Z
last_seen 2020-11-01T04:00:00Z
source MITRE

Iranian APT Credential Harvesting & Cryptomining Activity

In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.

Additional details, including incident response guidance and relevant mitigations, can be found in the source report.[U.S. CISA Advisory November 25 2022]

Related Vulnerabilities: CVE-2021-44228[U.S. CISA Advisory November 25 2022]

Internal MISP references

UUID 7d6ff40d-51f3-42f8-b986-e7421f59b4bd which can be used as unique global reference for Iranian APT Credential Harvesting & Cryptomining Activity in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5008
first_seen 2022-06-15T00:00:00Z
last_seen 2022-07-15T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '7e6ef160-8e4f-4132-bdc4-9991f01c472e']

Iranian APT Targeting U.S. Voter Data

In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.[U.S. CISA Iran Voter Data November 3 2020]

Internal MISP references

UUID 18cf25b5-ed3a-40f6-bf0a-a3938a4f8da2 which can be used as unique global reference for Iranian APT Targeting U.S. Voter Data in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5010
first_seen 2020-09-20T00:00:00Z
last_seen 2020-10-20T00:00:00Z
owner TidalCyberIan
source Tidal Cyber

Iranian IRGC Data Extortion Operations

In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.

The actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.

In addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports here and here.

Related Vulnerabilities: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105[U.S. CISA IRGC Actors September 14 2022], CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591[U.S. CISA Iranian Government Actors November 19 2021]

Internal MISP references

UUID 338c6497-2b13-4c2b-bd45-d8b636c35cac which can be used as unique global reference for Iranian IRGC Data Extortion Operations in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5009
first_seen 2021-03-01T00:00:00Z
last_seen 2022-09-14T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '15787198-6c8b-4f79-bf50-258d55072fee', 'd84be7c9-c652-4a43-a79e-ef0fa2318c58', '1423b5a8-cff3-48d5-a0a2-09b3afc9f195', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'fde4c246-7d2d-4d53-938b-44651cf273f1', 'c3779a84-8132-4c62-be2f-9312ad41c273', 'c035da8e-f96c-4793-885d-45017d825596', '7e6ef160-8e4f-4132-bdc4-9991f01c472e', 'd713747c-2d53-487e-9dac-259230f04460', '964c2590-4b52-48c6-afff-9a6d72e68908']

Ivanti Gateway Vulnerability Exploits

This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.

Internal MISP references

UUID c2544d1d-3c99-4601-86fe-8b62020aaffc which can be used as unique global reference for Ivanti Gateway Vulnerability Exploits in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5017
first_seen 2023-12-01T00:00:00Z
last_seen 2024-02-29T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['fe984a01-910d-4e39-9c49-179aa03f75ab', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'd1ab6bd6-2688-4e54-a1d3-d180bb8fd41a', '1ff4614e-0ee6-4e04-921d-61abba7fcdb7', 'e00b65fc-8f56-4a9e-9f09-ccf3124a3272']

June 2023 Citrix Vulnerability Exploitation

In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller ("ADC") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.[U.S. CISA CVE-2023-3519 Exploits] Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.[Citrix Bulletin CVE-2023-3519]

After achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory ("AD"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.[U.S. CISA CVE-2023-3519 Exploits] Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is "consistent with previous operations by China-nexus actors".[Mandiant CVE-2023-3519 Exploitation]

Related Vulnerabilities: CVE-2023-3519[U.S. CISA CVE-2023-3519 Exploits]

Internal MISP references

UUID 86e3565d-93dc-40e5-8f84-20d1c15b8e9d which can be used as unique global reference for June 2023 Citrix Vulnerability Exploitation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5001
first_seen 2023-06-01T00:00:00Z
last_seen 2023-06-30T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['fe984a01-910d-4e39-9c49-179aa03f75ab', 'a98d7a43-f227-478e-81de-e7299639a355', 'c475ad68-3fdc-4725-8abc-784c56125e96']

LockBit Affiliate Citrix Bleed Exploits

In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.

Citrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.

After successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the source report.[U.S. CISA LockBit Citrix Bleed November 21 2023] Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.[Malwarebytes Citrix Bleed November 24 2023][Cybernews Yanfeng Qilin November 2023]

Internal MISP references

UUID f4225d6a-8734-401f-aa2a-1a73c23b16e6 which can be used as unique global reference for LockBit Affiliate Citrix Bleed Exploits in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5011
first_seen 2023-08-01T00:00:00Z
last_seen 2023-11-16T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']

Night Dragon

Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[McAfee Night Dragon]

Internal MISP references

UUID 85f136b3-d5a3-4c4c-a37c-40e4418dc989 which can be used as unique global reference for Night Dragon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0002
first_seen 2009-11-01T04:00:00Z
last_seen 2011-02-01T05:00:00Z
source MITRE

Operation Bearded Barbie

"Operation Bearded Barbie" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially "high-profile" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.[Cybereason Operation Bearded Barbie April 5 2022]

Internal MISP references

UUID 0496e076-1813-4f51-86e6-8f551983e8f8 which can be used as unique global reference for Operation Bearded Barbie in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5018
first_seen 2022-03-01T00:00:00Z
last_seen 2022-04-01T00:00:00Z
owner TidalCyberIan
source Tidal Cyber

Operation CuckooBees

Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[Cybereason OperationCuckooBees May 2022]

Internal MISP references

UUID 81bf4e45-f0d3-4fec-a9d4-1259cf8542a1 which can be used as unique global reference for Operation CuckooBees in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0012
first_seen 2019-12-01T07:00:00Z
last_seen 2022-05-01T06:00:00Z
source MITRE

Operation Dream Job

Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[ClearSky Lazarus Aug 2020][McAfee Lazarus Jul 2020][ESET Lazarus Jun 2020][The Hacker News Lazarus Aug 2022]

Internal MISP references

UUID 9a94e646-cbe5-54a1-8bf6-70ef745e641b which can be used as unique global reference for Operation Dream Job in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0022
first_seen 2019-09-01T04:00:00Z
last_seen 2020-08-01T04:00:00Z
source MITRE

Operation Dust Storm

Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[Cylance Dust Storm]

Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[Cylance Dust Storm]

Internal MISP references

UUID af0c0f55-dc4f-4cb5-9350-3a2d7c07595f which can be used as unique global reference for Operation Dust Storm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0016
first_seen 2010-01-01T07:00:00Z
last_seen 2016-02-01T06:00:00Z
source MITRE

Operation Ghost

Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[ESET Dukes October 2019]

Internal MISP references

UUID 1fcfe949-5f96-578e-86ad-069ba123c867 which can be used as unique global reference for Operation Ghost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0023
first_seen 2013-09-01T04:00:00Z
last_seen 2019-10-01T04:00:00Z
source MITRE

Operation Honeybee

Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[McAfee Honeybee]

Internal MISP references

UUID f741ed36-2d52-40ae-bbdc-70722f4071c7 which can be used as unique global reference for Operation Honeybee in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0006
first_seen 2017-08-01T05:00:00Z
last_seen 2018-02-01T06:00:00Z
source MITRE

Operation Sharpshooter

Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous Lazarus Group operations, including fake job recruitment lures and shared malware code.[McAfee Sharpshooter December 2018][Bleeping Computer Op Sharpshooter March 2019][Threatpost New Op Sharpshooter Data March 2019]

Internal MISP references

UUID 57e858c8-fd0b-4382-a178-0165d03aa8a9 which can be used as unique global reference for Operation Sharpshooter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0013
first_seen 2017-09-01T05:00:00Z
last_seen 2019-03-01T06:00:00Z
source MITRE

Operation Spalax

Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The Operation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to APT-C-36, however identified enough differences to report this as separate, unattributed activity.[ESET Operation Spalax Jan 2021]

Internal MISP references

UUID 98d3a8ac-6af9-4471-83f6-e880ca70261f which can be used as unique global reference for Operation Spalax in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0005
first_seen 2019-11-01T05:00:00Z
last_seen 2021-01-01T06:00:00Z
source MITRE

Operation Wocao

Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[FoxIT Wocao December 2019]

Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[FoxIT Wocao December 2019]

Internal MISP references

UUID 56e4e10f-8c8c-4b7c-8355-7ed89af181be which can be used as unique global reference for Operation Wocao in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0014
first_seen 2017-12-01T05:00:00Z
last_seen 2019-12-01T05:00:00Z
source MITRE

PaperCut Vulnerability Exploitation

In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.[PaperCut MF/NG vulnerability bulletin] According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.[U.S. CISA PaperCut May 2023]

CVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the "Education Facilities Subsector" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.[U.S. CISA PaperCut May 2023]

The Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the source report.

Related Vulnerabilities: CVE-2023-27350[U.S. CISA PaperCut May 2023]

Internal MISP references

UUID 38443d11-135a-47ac-909f-fa34744bc3a5 which can be used as unique global reference for PaperCut Vulnerability Exploitation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5003
first_seen 2023-04-15T00:00:00Z
last_seen 2023-05-30T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '992bdd33-4a47-495d-883a-58010a2f0efb']

Pikabot Distribution Campaigns 2023

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

This is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)[Malwarebytes Pikabot December 15 2023][Unit42 Malware Roundup December 29 2023]; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.[Trend Micro Pikabot January 9 2024]

Internal MISP references

UUID 71f6d3b1-c45e-421c-99cb-3b695647cf0b which can be used as unique global reference for Pikabot Distribution Campaigns 2023 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C5013
first_seen 2023-02-01T00:00:00Z
last_seen 2023-12-31T00:00:00Z
owner TidalCyberIan
source Tidal Cyber
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']

SolarWinds Compromise

The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[SolarWinds Advisory Dec 2020][SolarWinds Sunburst Sunspot Update January 2021][FireEye SUNBURST Backdoor December 2020][Volexity SolarWinds][CrowdStrike StellarParticle January 2022][Unit 42 SolarStorm December 2020][Microsoft Analyzing Solorigate Dec 2020][Microsoft Internal Solorigate Investigation Blog]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[NSA Joint Advisory SVR SolarWinds April 2021][UK NSCS Russia SolarWinds April 2021][Mandiant UNC2452 APT29 April 2022] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[USG Joint Statement SolarWinds January 2021]

Internal MISP references

UUID 8bde8146-0656-5800-82e6-e24e008e4f4a which can be used as unique global reference for SolarWinds Compromise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0024
first_seen 2019-08-01T05:00:00Z
last_seen 2021-01-01T06:00:00Z
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']

Triton Safety Instrumented System Attack

Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[Triton-EENews-2017] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[FireEye TRITON 2018] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[FireEye TRITON 2017]

Internal MISP references

UUID 6c7185e1-bd46-5a80-9a76-a376b16fbc7b which can be used as unique global reference for Triton Safety Instrumented System Attack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
campaign_attack_id C0030
first_seen 2017-06-01T04:00:00Z
last_seen 2017-08-01T04:00:00Z
source MITRE