Not Simon 🐐

Country: People's Republic of China Organization: N/A Objective: Espionage (Page Last Updated: November 20, 2024)

Aliases:

• Earth Estries (Trend Micro)
• FamousSparrow (ESET, Fortinet)
• GhostEmperor (Kaspersky, Malpedia, Rapid7)
• Liminal Panda (CrowdStrike)
• Salt Typhoon Microsoft)
• UNC2286 (Mandiant)

Links to other groups

• DRBControl (PDF, Source: ESET)
• SparklingGoblin (subset of “Winnti” Source: ESET)
• Tropic Trooper (Source: Kaspersky)
  • Tropic Trooper (ETDA, Kaspersky, MITRE, Unit 42)
  • KeyBoy (Citizen Lab, Rapid7, formerly used by PwC)
  • Pirate Panda (Anomali, CrowdStrike)
• UNC4841 (Mandiant)

Vulnerabilities Exploited

• ProxyLogon (Sources: ESET, Kaspersky, Sygnia):
  • CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26857 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26858 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
• unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET)
• CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office Memory Corruption Vulnerability Source: Trend Micro
• CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Unit 42, Citizen Lab
• CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Citizen Lab
• CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy) Microsoft Office Memory Corruption Vulnerability Source: Citizen Lab

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• November 20, 2024 – Natto Thoughts: Salt Typhoon: Churning Up a Storm of Consternation
• November 19, 2024 – CrowdStrike: Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector
• November 15, 2024 – Wall Street Journal: T-Mobile Hacked in Massive Chinese Breach of Telecom Networks (news article)
• November 07, 2024 – Trend Micro: Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations
• October 25, 2024 – Wall Street Journal: Chinese Hackers Targeted Phones of Trump, Vance, and Harris Campaign (news article)
• October 25, 2024 – CISA: Joint Statement by FBI and CISA on PRC Activity Targeting Telecommunications (not explicitly mentioned)
• October 11, 2024 – Washington Post: White House forms emergency team to deal with China espionage hack (news article)
• October 04, 2024 – Wall Street Journal: U.S. Wiretap Systems Targeted in China-Linked Hack (news article)
• September 25, 2024 – Wall Street Journal: China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack (news article)
• September 05, 2024 – Kaspersky: Tropic Trooper spies on government entities in the Middle East
• July 17, 2024 – Sygnia: The Return of Ghost Emperor's Demodex

2023

• August 30, 2023 – Trend Micro: Earth Estries Targets Government, Tech for Cyberespionage

2022

• February 28, 2022 – NCSC-UK: Malware Analysis Report: SparrowDoor (PDF)

2021

• December 14, 2021 – Trend Micro: Collecting In the Dark: Tropic Trooper Targets Transportation and Government (archive of dead link)
• October 19, 2021 – CrowdStrike: LIMINAL PANDA: A Roaming Threat to Telecommunications Companies
• September 30, 2021 – Kaspersky: GhostEmperor: From ProxyLogon to kernel mode
• September 23, 2021 – ESET: FamousSparrow: A suspicious hotel guest

2020

• May 12, 2020 – Trend Micro: Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments (archive of dead link)
• April 30, 2020 – Anomali: Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center

2018

• August 08, 2018 – Citizen Lab: Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces
• March 14, 2018 – Trend Micro: Tropic Trooper’s New Strategy

2017

• November 16, 2017 – Lookout: Tropic Trooper Goes Mobile With Titan Surveillanceware
• February 11, 2017 – PwC: The KeyBoys are back in town (archive of dead link)

2016

• November 22, 2016 – Unit 42: Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
• November 17, 2016 – Citizen Lab: It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community

2015

• May 14, 2015 – Trend Micro: Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers (PDF)

2013

• June 13, 2013 – Cisco: Scope of 'KeyBoy' Targeted Malware Attacks
• June 07, 2013 – Rapid7: KeyBoy, Targeted Attacks against Vietnam and India (archive of dead link)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: People's Republic of China Organization: Integrity Technology Group Objective: Espionage, Information theft (Page last updated: October 13, 2024)

Aliases (sorted alphabetically):

• Ethereal Panda (CrowdStrike)
• Flax Typhoon (CFR, ETDA, FBI, Microsoft, Malpedia, NSA, NCSC-UK)
• RedJuliett (Recorded Future)
• Storm-0919 (previously used by Microsoft)

Associated Company

Integrity Technology Group (Integrity Tech) (Source: FBI (PDF)) aka Yongxin Zhicheng, 永信至诚

Vulnerabilities Exploited

Source: FBI

• CVE-2024-5217 (KEV)
• CVE-2024-4577 (KEV)
• CVE-2024-29973
• CVE-2024-29269
• CVE-2024-21762 (KEV)
• CVE-2023-50386
• CVE-2023-47218
• CVE-2023-46747 (KEV)
• CVE-2023-46604 (KEV)
• CVE-2023-43478
• CVE-2023-4166
• CVE-2023-38646
• CVE-2023-3852
• CVE-2023-38035 (KEV)
• CVE-2023-37582
• CVE-2023-36844 (KEV)
• CVE-2023-36542
• CVE-2023-35885
• CVE-2023-35843
• CVE-2023-3519 (KEV)
• CVE-2023-35081 (KEV)
• CVE-2023-34960
• CVE-2023-34598
• CVE-2023-3368
• CVE-2023-33510
• CVE-2023-30799
• CVE-2023-28771 (KEV)
• CVE-2023-28365
• CVE-2023-27997 (KEV)
• CVE-2023-27524 (KEV)
• CVE-2023-26469
• CVE-2023-25690
• CVE-2023-24229
• CVE-2023-23333
• CVE-2023-22527 (KEV)
• CVE-2023-22515 (KEV)
• CVE-2023-42475 (KEV)
• CVE-2022-40881
• CVE-2022-3590
• CVE-2022-31814
• CVE-2022-30525 (KEV)
• CVE-2022-26134 (KEV)
• CVE-2022-20707
• CVE-2022-1388 (KEV)
• CVE-2021-46422
• CVE-2021-45511
• CVE-2021-44228 (KEV)
• CVE-2021-36260 (KEV)
• CVE-2021-28799 (KEV)
• CVE-2021-20090 (KEV)
• CVE-2021-1473
• CVE-2021-1472
• CVE-2020-8515 (KEV)
• CVE-2020-4450
• CVE-2020-35391
• CVE-2020-3452 (KEV)
• CVE-2020-3451
• CVE-2020-15415
• CVE-2019-7256 (KEV)
• CVE-2019-19824
• CVE-2019-17621 (KEV)
• CVE-2019-12168
• CVE-2019-11829
• CVE-2018-18852
• CVE-2017-7876
• CVE-2015-7450 (KEV)

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• October 09, 2024: Natto Thoughts: Business Priorities of Chinese Cyber Range Providers Go Hand in Hand with State Cyber Capability Development
• September 25, 2024: Natto Thoughts: Flax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON
• September 18, 2024: (ATTRIBUTION)
  • FBI: People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations (PDF)
  • NSA: NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations
  • U.S. Department of Justice: Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers
  • ASD ACSC: People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations (available as PDF)
  • NCSC-UK: NCSC and partners issue advice to counter China-linked campaign targeting thousands of devices
  • The Record: Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks (background information on Integrity Technology Group)
• June 24, 2024 – Recorded Future: Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation (available as PDF)
• April 04, 2024 – Microsoft: Same targets, new playbooks: East Asia threat actors employ unique methods (brief mention, no IOC)

2023

• September 23, 2023??? – SecurityScorecard: SecurityScorecard Identifies Possible Flax Typhoon Infrastructure
• August 24, 2023 – Microsoft: Flax Typhoon using legitimate software to quietly access Taiwanese organizations
• March 03, 2023 – CrowdStrike: 2023 Global Threat Report (PDF, page 29)

2022

• September 26, 2022 – Center for Security and Emerging Technology: Downrange: A Survey of China’s Cyber Ranges (PDF, page 8)

2020

• May 20, 2020?? – PRC Ministry of State Security: 前沿 | 网络靶场，未来安全的基础设施 (web archive of a MSS-run periodical reprinted on IntegrityTech's website, English translation: “Frontier | Cyber ​​Range, the secure infrastructure of the future”)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage, Sabotage (Page last updated October 12, 2024)

Aliases (sorted alphabetically):

• APT34 (Check Point Research, FireEye, Intezer, NSA, NSFOCUS, Trend Micro)
• CHRYSENE (Dragos)
• Cobalt Gypsy (Secureworks) (primary)
• Cobalt Lyceum (Secureworks)
• Crambus (Symantec)
• Earth Simnavaz (Trend Micro)
• Europium (previously used by Microsoft)
• Greenbug (ClearSky, Symantec)
• Hazel Sandstorm (Microsoft)
• Helix Kitten (CrowdStrike, Wikipedia)
• HEXANE (Dragos) (linked to Lyceum by Kaspersky)
• ITG13 (IBM)
• Lyceum (Kaspersky, Secureworks)
• OilRig (ClearSky, Cyble, EDTA, ESET, Kaspersky, Malpedia, MITRE, Unit 42)
• TA452 (Proofpoint)
• TG-2889 (formerly used by Secureworks)
• Yellow Maero (PwC

Sub-group:

• DEV-0842 (Microsoft) / Void Manticore (Check Point Research)
• DEV-0861 (Microsoft) / Scarred Manticore (Check Point Research) / UNC1860 (Mandiant)
• DEV-0166 (Microsoft) / IntrudingDivisor (Unit 42)
• DEV-0133 (Microsoft)

Known Associates

• Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
• Farzin Karimi Mazlganchai: PwC

Vulnerabilities Exploited

• CVE-2024-30088, (CVSS3v1: 7.0 high) Windows Kernel Elevation of Privilege Vulnerability Source: Trend Micro
• CVE-2019-0604 (CVE, NVD. CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Microsoft SharePoint Remote Code Execution Vulnerability Source: Microsoft
• CVE-2017-11882 (CVE, NVD. CVSSv3.1: 7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Mandiant
• CVE-2017-0199 (CVE, NVD, CVSS3v1: 7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Unit 42

Tactics, Techniques, and Procedures (TTPs)

• Enterprise TTPs mapped to MITRE ATT&CK Navigator Layers
• Industrial Control System (ICS) TTPs mapped to MITRE ATT&CK Navigator Layers

Known Tools Used

As listed by MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• October 11, 2024 – Trend Micro: Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions
• September 19, 2024 – Mandiant: UNC1860 and the Temple of Oats: Iran's Hidden Hand in Middle Eastern Networks
• September 11, 2024 – Check Point Research: Targeted Iranian Attacks Against Iraqi Government Infrastructure
• May 20, 2024 – Check Point Research: Bad Karma, No Justice: Void Manticore Destructive Activities in Israel

2023

• December 20, 2023 – Security Scorecard: A detailed analysis of the Menorah malware used by APT34
• December 14, 2023 – ESET: OilRig’s persistent attacks using cloud service-powered downloaders
• October 31, 2023 – Check Point Research: From Albania to the Middle East: The Scarred Manticore is Listening (AFFILIATED WITH MOIS)
• October 19, 2023 – Symantec: Crambus: New Campaign Targets Middle Eastern Government
• September 29, 2023 – Trend Micro: APT34 Deploys Phishing Attack With New Malware
• September 21, 2023 – ESET: OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
• August 30, 2023 – NSFOCUS: APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
• May 09, 2023 – ESET: ESET APT Activity Report Q4 2022­–Q1 2023, specifically on page 8 in PDF (PDF)
• May 08, 2023 – Kaspersky: Kaspersky experts warn of increased IT supply chain attacks by OilRig APT in the Middle East and Turkiye
• February 02, 2023 – Trend Micro: New APT34 Malware Targets The Middle East

2022

• September 08, 2022 – Microsoft: Microsoft investigates Iranian attacks against the Albanian government (ATTRIBUTION TO MOIS)
• May 10, 2022 – Malwarebytes: APT34 targets Jordan Government using new Saitama backdoor

2021

• October 18, 2021 – Kaspersky: Lyceum group reborn
• April 08, 2021 – Check Point Research: Iran’s APT34 Returns with an Updated Arsenal

2020

• July 22, 2020 – Unit 42: OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
• May 19, 2020 – Symantec: Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
• March 02, 2020 – Telsy: APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants
• January 30, 2020 – Intezer: New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset

2019

• December 17, 2019 – Kaspersky: OilRig’s Poison Frog – old samples, same trick
• December 04, 2019 – IBM: New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
• November 09, 2019 – NSFOCUS: APT34 Event Analysis Report
• October 21, 2019 – National Security Agency: Turla Group Exploits Iranian APT To Expand Coverage Of Victims (PDF)
• August 27, 2019 – Secureworks: LYCEUM Takes Center Stage in Middle East Campaign
• July 18, 2019 – FireEye: Hard Pass: Declining APT34's Invite to Join Their Professional Network
• July 16, 2019 – BGD e-GOV CIRT (Bangladesh): [DNSPIONAGE] – FOCUS ON INTERNAL ACTIONS
• May 15, 2019 – Proofpoint: Threat Actor Profile: TA542, From Banker to Malware Distribution Service
• May 06, 2019 – NSFOCUS: Analysis of File Disclosure by APT34
• April 30, 2019 – Unit 42: Behind the Scenes with OilRig
• April 16, 2019 – Unit 42: DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

2018

• November 27, 2018 – Cisco Talos: DNSpionage Campaign Targets Middle East (attributed by FireEye on July 18, 2019)
• November 16, 2018 – Unit 42: Analyzing OilRig's Ops Tempo from Testing to Weaponization to Delivery
• September 12, 2018 – Unit 42: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
• September 04, 2018 – Unit 42: OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
• July 25, 2018 – Unit 42: OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
• February 23, 2018 – Unit 42: OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
• February 23, 2018 – Booz Allen: Researchers Discover New variants of APT34 Malware
• January 25, 2018 – Unit 42: OilRig uses RGDoor IIS Backdoor on Targets in the Middle East

2017

• December 15, 2017 – Unit 42: Introducing the Adversary Playbook: First up, OilRig
• December 11, 2017 – Unit 42: OilRig Performs Tests on the TwoFace Webshell
• December 07, 2017 – FireEye: New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
• November 08, 2017 – Unit 42: OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
• October 24, 2017 – ClearSky: Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
• October 09, 2017 – Unit 42: OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
• September 26, 2017 – Unit 42: Striking Oil: A Closer Look at Adversary Infrastructure
• August 28, 2017 – ClearSky: Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
• July 27, 2017 – Unit 42: OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
• July 27, 2017 – Secureworks: The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
• April 27, 2017 – Unit 42: OilRig Actors Provide a Glimpse into Development and Testing Efforts
• March 31, 2017 – LogRhythm Labs: OilRig Campaign Analysis (PDF, TLP:WHITE)
• February 15, 2017 – Secureworks: Iranian PupyRAT Bites Middle Eastern Organizations
• January 05, 2017 – ClearSky: Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford

2016

• October 04, 2016 – Unit 42: OilRig Malware Campaign Updates Toolset and Expands Targets
• May 26, 2016 – Unit 42: The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor

2015

• October 07, 2015 – Secureworks: Hacker Group Creates Network of Fake LinkedIn Profiles

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: People's Republic of China Organization: Loosely connected private contractors operating on behalf of China’s Ministry of State Security (MSS). Some have worked at Chengdu 404 Network Technology Objective: Espionage, Information theft, Financial crime (Page last updated: November 19, 2024)

Aliases (sorted alphabetically):

• APT41 (FBI, CISA, Cisco, EDTA, FireEye, Mandiant, Kaspersky, Malpedia, Unit 42, Zscaler)
• Axiom (Note: treated as a separate threat actor)
• BARIUM (formerly used by Microsoft)
• Blackfly (Symantec)
• Brass Typhoon (Microsoft)
• Bronze Atlas (SecureWorks)
• Double Dragon (Wikipedia)
• Earth Baku (Trend Micro)
• Grayfly (Symantec)
• Red Kelpie (PWC?)
• RedEcho (different threat actor from Recorded Future possible overlaps)
• Redfly (not used by Symantec, but linked via ShadowPad malware)
• RedGolf (officially used by Recorded Future)
• SparklingGoblin (ESET)
• TG-2633 (formerly used by SecureWorks)
• Wicked Panda (used by CrowdStrike to track espionage)
• Wicked Spider (used by CrowdStrike to track cybercrime)
• Winnti, Winnti Group (Kaspersky, ESET, Cybereason, PwC)

Subgroups

• Earth Longzhi (Trend Micro)
• Earth Freybug (Trend Micro)
• Lead (formerly used by Microsoft)
• Leopard Typhoon (Microsoft)
• Vanadinite (Dragos)

Identified Members

• Zhang Haoran (张浩然): FBI Most Wanted
• Tan Dailin (谭戴林): FBI Most Wanted
• Jiang Lizhi (蒋立志): FBI Most Wanted
• Qian Chuan (钱川): FBI Most Wanted
• Fu Qiang (付强): FBI Most Wanted

Associated Company

Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司)

Vulnerabilities Exploited

• CVE-2018-0824 (7.5 high, in CISA's KEV Catalog) Microsoft COM for Windows Remote Code Execution Vulnerability Source: Cisco
• CVE-2017-0199 (7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Sources: Clearsky, Fortinet, FireEye
• CVE-2019-3396 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability. Sources: FireEye, Fortinet
• CVE-2015-1641 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Fortinet
• CVE-2012-0158 (8.8 high, in CISA's KEV Catalog) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Fortinet, FireEye
• CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: FireEye

The following 7 vulnerabilities have the same source: U.S. DOJ

• CVE-2019-19781 (9.8 critical, in CISA's KEV Catalog) Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability Additional sources: FireEye, Fortinet
• CVE-2019-11510 (10.0 critical, in CISA's KEV Catalog) Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
• CVE-2019-16920 (9.8 critical, in CISA's KEV Catalog) D-Link Multiple Routers Command Injection Vulnerability
• CVE-2019-16278 (9.8 critical) Nostromo 1.9.6 Directory Traversal/ Remote Command Execution Vulnerability
• CVE-2019-1652 (7.2 high, in CISA's KEV Catalog) Cisco Small Business Routers Improper Input Validation Vulnerability. Additional source: FireEye
• CVE-2019-1653 (7.5 high, in CISA's KEV Catalog) Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability. Additional source: FireEye
• CVE-2020-10189 (9.8 critical, in CISA's KEV Catalog) Zoho ManageEngine Desktop Central File Upload Vulnerability. Additional sources: FireEye, Fortinet

The following 2 vulnerabilities have the same source: Mandiant

• CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).
• CVE-2021-44207 (8.1 high) Acclaim USAHERDS Hard-Coded Credentials Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• November 12, 2024 – BlackBerry: LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign
• August 04, 2024 – Trend Micro: A Dive into Earth Baku’s Latest Campaign
• August 01, 2024 – Cisco Talos: APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
• July 18, 2024 – Mandiant: APT41 Has Arisen From the DUST
• July 11, 2024 – Zscaler: MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2
• July 10, 2024 – Zscaler: DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1
• June 10, 2024 – Technical University of Zurich (ETH Zurich): From Vegas to Chengdu: Hacking Contests Bug Bounties, and China’s Offensive Cyber Ecosystem (research paper, PDF)
• May 29, 2024 – Natto Thoughts: APT41’s Reconnaissance Techniques and Toolkit: Nmap and What Else?
• May 22, 2024 – Natto Thoughts: Front Company or Real Business in China’s Cyber Operations
• April 02, 2024 – Trend Micro: Earth Freybug Uses UNAPIMON for Unhooking Critical APIs (APT41 subgroup)
• February 28, 2024 – Natto Thoughts: i-SOON: Kicking off the Year of the Dragon with Good Luck … or Not (more about association of i-SOON to Chengdu 404)

2023

• October 27, 2023 – Natto Thoughts: i-SOON: Another Company in the APT41 Network
• September 22, 2023 – Mandiant: Threat Trends: Unraveling WyrmSpy and DragonEgg Mobile Malware with Lookout
• September 12, 2023 – Symantec: Redfly: Espionage Actors Continue to Target Critical Infrastructure (tenuous link via ShadowPad trojan)
• July 19, 2023 – Lookout: Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41
• May 02, 2023 – Trend Micro: Attack on Security Titans: Earth Longzhi Returns With New Tricks (APT41 subgroup)
• April 01, 2023 – Google Cloud/Threat Analysis Group (TAG): April 2023 Threat Horizons Report (PDF, page 9: HOODOO Uses Public Tooling, Google Workspace to Target Taiwanese Media)
• March 30, 2023 – Recorded Future: With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets (PDF)
• February 28, 2023 – Symantec: Blackfly: Espionage Group Targets Materials Technology

2022

• November 09, 2022 – Trend Micro: Hack the Real Box: APT41’s New Subgroup Earth Longzhi (APT41 subgroup)
• October 18, 2022 – Symantec: Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
• September 22, 2022 – U.S. Health and Human Services (HHS): APT41 and Recent Activity (PDF)
• September 14, 2022 – ESET: You never walk alone: The SideWalk backdoor gets a Linux variant
• August 22, 2022 – Mandiant: APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation (PDF)
• August 18, 2022 – Group-IB:
  • APT41 World Tour 2021 on a tight schedule
  • Inflexible schedule: Group-IB reveals malicious APT41 campaigns involving new tactics and tools
• July 24, 2022 – Intrusion Truth: Chinese APTs: Interlinked networks and side hustles
• July 23, 2022 – Intrusion Truth: The people behind Chengdu 404
• July 22, 2022 – Intrusion Truth: Chengdu 404
• July 21, 2022 – Intrusion Truth: The old school hackers behind APT41
• July 20, 2022 – Intrusion Truth: APT41: A Case Sudy [sic]
• May 02, 2022 – Cybereason:
  • Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
  • Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
  • Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
• March 08, 2022 – Mandiant: Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
• February 15, 2022 – Secureworks: ShadowPad Malware Analysis
• January 20, 2022 – Kaspersky: MoonBounce: the dark side of UEFI firmware

2021

• October 05, 2021 – BlackBerry: Drawing a Dragon: Connecting the Dots to Find APT41
• September 21, 2021 – Recorded Future: China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware, available as PDF (tenuous connection via Winnti malware)
• September 09, 2021 – Symantec: Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
• August 24, 2021 – ESET: The SideWalk may be as dangerous as the CROSSWALK
• August 24, 2021 – Trend Micro: APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
  • Earth Baku: An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor. (PDF, white paper)
• August 20, 2021 – CISA: Chinese State-Sponsored Cyber Operations: Observed TTPs (generalized Chinese threat activity)
• July 08, 2021 – Recorded Future: Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling (TAG-22 overlaps with Winnti, but is considered Aquatic Panda)
• July 01, 2021 – Avast: Backdoored Client from Mongolian CA MonPass
• June 10, 2021 – Group-IB: Big airline heist
• April 29, 2021 – NTT: The Operations of Winnti group (PDF)
• March 16, 2021 – Dragos: New ICS Threat Activity Group: VANADINITE (Winnti subgroup)
• March 10, 2021 – Intezer: New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
• March 08, 2021 – Mazaher Kianpour: Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property — The Case of APT41 (PDF)
• February 28, 2021 – Recorded Future: China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions, majority in PDF
• January 14, 2021 – Positive Technologies: Higaisa or Winnti? APT41 backdoors, old and new

2020

• November 11, 2020 – Microsoft: Hunting for Barium using Azure Sentinel
• October 20, 2020 – CISA: Potential for China Cyber Response to Heightened U.S.–China Tensions (brief mention of APT41)
• September 29, 2020 – Positive Technologies: ShadowPad: new activity from the Winnti group
• September 18, 2020 – Trend Micro: U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
• September 17, 2020 – Symantec: APT41: Indictments Put Chinese Espionage Group in the Spotlight
• September 16, 2020 – U.S. Department of Justice: Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally (ATTRIBUTION)
  • Indictment: United States of America v. Zhang Haoran, Tan Dailin (PDF)
• September 16, 2020 – FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities (PDF)
• June 11, 2020 – Zscaler: The Return of the Higaisa APT (see Positive Technologies link from January 14, 2021)
• June 04, 2020 – Malwarebytes: New LNK attack tied to Higaisa APT discovered (see Positive Technologies link from January 14, 2021)
• May 21, 2020 – ESET: No “Game over” for the Winnti Group
• May 06, 2020 – Trend Micro: Targeted Ransomware Attack Hits Taiwan Organizations
• April 20, 2020 – QuoIntelligence: WINNTI GROUP: Insights From the Past
• April 13, 2020 – Unit 42: APT41 Using New Speculoos Backdoor to Target Organizations Globally
• March 25, 2020 – FireEye: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
• February ??, 2020 – PwC: Cyber Threats 2019: A Year in Retrospect (PDF, page 10)
• January 31, 2020 – ESET: Winnti Group targeting universities in Hong Kong
• January 31, 2020 – Tagesschau (German news): Deutsches Chemieunternehmen gehackt (German language, archive of dead link. English translated title: “German chemical company hacked”)

2019

• October 31, 2019 – FireEye: MESSAGETAP: Who’s Reading Your Text Messages?
• October 21, 2019 – ESET: Winnti Group's skip-2.0: A Microsoft SQL Server backdoor
• October 15, 2019 – FireEye: LOWKEY: Hunting for the Missing Volume Serial ID
• October 14, 2019 – ESET: Connecting the dots: Exposing the arsenal and methods of the Winnti Group, with whitepaper PDF
• September 14, 2019 – VMware: CB TAU Threat Intelligence Notification: Winnti Malware 4.0
• August 19, 2019 – FireEye: GAME OVER: Detecting and Stopping an APT41 Operation
• August 07, 2019 – FireEye: APT41: A Dual Espionage and Cyber Crime Operation, available as PDF
• July 24, 2019 – Bayerischer Rundfunk (BR): Winnti: Attacking the Heart of the German Industry
• May 29, 2019 – Intezer: HiddenWasp Malware Stings Targeted Linux Systems (link to Winnti malware)
• May 16, 2019 – Lab52: Winnti Group: Geostrategic and TTP (Tactics, Techniques and Procedures)
• May 15, 2019 – Chronicle: Winnti: More than just Windows and Gates
• April 23, 2019 – Kaspersky: Operation ShadowHammer: a high-profile supply chain attack
• March 25, 2019 – Kaspersky: Operation ShadowHammer
• March 11, 2019 – ESET: Gaming industry still in the scope of attackers in Asia

2018

• June 13, 2018 – Microsoft: Microsoft Corporation v. John Does 1-2 (PDF, Case 1:17-cv-01224-TSE-MSN. Proposed default judgment and order for permanent injunction)
• May 03, 2018 – 401 TRG: Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers

2017

• September 21, 2017 – ESET: CConsiderations on the CCleaner incident (later attributed to Winnti by ESET on May 20, 2020)
• August 15, 2017 – Kaspersky: ShadowPad in corporate networks (attributed to Winnti by PwC in 2019)
• July 18, 2017 – Clearsky: Recent Winnti Infrastructure and Samples
• April 19, 2017 – Trend Micro: Examining a Possible Member of the Winnti Group
• March 22, 2017 – Trend Micro: Winnti Abuses GitHub for C&C Communications

2016

• October 18, 2016 – BlackBerry: Digitally Signed Malware Targeting Gaming Companies (links PassCV APT to Winnti)

2015

• October 05, 2015 – VSEC: Initial Winnti analysis against Vietnam game company (archive of dead link)
• June 22, 2015 – Kaspersky: Games are over: Winnti is now targeting pharmaceutical companies (links Winnti to Axiom)
• April 07, 2015 – Novetta: Operation SMN – Winnti Update (archive of dead link), Winnti Analysis (PDF, archive of dead link)

2013

• April 15, 2013 – Kaspersky: Winnti returns with PlugX
• April 11, 2013 – Kaspersky:
  • Winnti. More than just a game, available as PDF (ORIGIN OF WINNTI NAME)
  • The Winnti honeypot – luring intruders

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) Objective: Espionage, Sabotage, Assassinations, Influence Operations (Page last updated: September 07, 2024)

Aliases:

• Bleeding Bear (superseded by Ember Bear)
• Cadet Blizzard (Microsoft)
• DEV-0586 (formerly used by Microsoft)
• Ember Bear (CrowdStrike, MITRE)
• FROZENVISTA (Google TAG)
• Lorec53 (NSFOCUS)
• Nascent Ursa (Unit 42?)
• Nodaria (Symantec)
• SaintBear ( Malpedia, ETDA)
• UNC2589 (Mandiant)
• UAC-0056 (CERT-UA, Unit 42)

Identified Members

• Amin Timovich Stigal (Амин Стигал), Russian civilian hacker:
  • FBI Most Wanted
  • Rewards for Justice
  • Transnational Organized Crime Rewards Program
• Yuriy Fedorovich Denisov (Юрий Денисов), Colonel and Commanding Officer of Cyber Operations for Unit 29155:
  • FBI Most Wanted
• Vladislav Yevgenyevich Borovkov (Владислав Боровков), lieutenant in Unit 29155:
  • FBI Most Wanted
• Denis Igorevich Denisenko (Денис Денисенко), lieutenant in Unit 29155:
  • FBI Most Wanted
• Dmitriy Yuryevich Goloshubov (Дима Голошубов), lieutenant in Unit 29155:
  • FBI Most Wanted
• Nikolay Aleksandrovich Korchagin (Николай Корчагин), lieutenant in Unit 29155:
  • FBI Most Wanted

Vulnerabilities Exploited

• CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Unit 42

The following 5 vulnerabilities have the same source: CISA

• CVE-2021-33044 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
• CVE-2021-33045 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
• CVE-2022-26134 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
• CVE-2022-26138 (9.8 critical, in CISA's KEV Catalog) Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
• CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog) Sophos Firewall Code Injection Vulnerability

Exploitation Likely

CISA and co-authoring agencies warned on 06 September 2024 that Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for the following 5 vulnerabilities:

• CVE-2020-1472 (9.8 critical, in CISA's KEV Catalog) Microsoft Netlogon Privilege Escalation Vulnerability
• CVE-2021-26084 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
• CVE-2021-3156 (7.8 high, in CISA's KEV Catalog) Sudo Heap-Based Buffer Overflow Vulnerability
• CVE-2021-4034 (7.8 high, in CISA's KEV Catalog) Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
• CVE-2022-27666 (7.8 high) Red Hat: IPSec ESP Local Privilege Escalation Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• September 06, 2024 – ASD ACSC: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
• September 05, 2024 – CISA: Russian Military Cyber Actors Target US and Global Critical Infrastructure, available as PDF
• September 05, 2024 – U.S. Department of Justice:
  • Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government
  • Indictment: United States of America v. Amin Stigal, Vladislav Borovkov, Denis Denisenko, Yuriy Denisov, Dmitriy Goloshubov, and Nikolay Korchagin
  • Assistant Attorney General Matthew G. Olsen Delivers Remarks Announcing Charges Against Russian Military Officers
• September 05, 2024 – NSA: NSA, FBI, CISA, and Allies Issue Advisory about Russian Military Cyber Actors
• September 05, 2024 – U.S. State Department: Up to $1 Million Reward Offer for Information Leading to Arrest and/or Conviction of Russian National Tim Vakhaevich Stigal
  • September 05, 2024 – Rewards for Justice: GRU Officers –Unit 29155
• September 05, 2024 – NCSC-UK: UK and Allies uncover Russian military unit carrying out cyber attacks and digital sabotage for the first time
• September 05, 2024 – BfV (Germany): Joint Cybersecurity Advisory on Russian Military Cyber Actors targeting U.S. and Global Critical Infrastructure
• September 05, 2024 – KAPO (Estonia): A GRU military unit launched cyberattacks against Estonian authorities
• September 05, 2024 – Estonia Prosecutor's Office: A GRU military unit launched cyberattacks against Estonian authorities
• September 05, 2024 – Estonia Ministry of Foreign Affairs (MFA): Estonia names Russia’s military intelligence in a first-ever attribution of cyberattacks
• September 05, 2024 – The Netherlands Military Intelligence and Security Service (MIVD): MIVD waarschuwt: Russen hebben het gemunt op westerse hulp aan Oekraïne (Dutch)
• September 05, 2024 – CCCS: Russian military cyber actors target U.S. and global critical infrastructure
• June 26, 2024 – U.S. Department of Justice: Russian National Charged For Conspiring With Russian Military Intelligence To Destroy Ukrainian Government Computer Systems And Data (Amin Stigal)

2023

• June 14, 2023 – Microsoft: Cadet Blizzard emerges as a novel and distinct Russian threat actor
• February 16, 2023 – Google TAG: Fog of war: how the Ukraine conflict transformed the cyber threat landscape (PDF)
• February 08, 2023 – Symantec: Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine

2022

• December 05, 2022 – Elastic: Operation Bleeding Bear
• July 20, 2022 – USCYBERCOM: Cyber National Mission Force discloses IOCs from Ukrainian networks
• July 20, 2022 – Mandiant: Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
• July 13, 2022 – Malwarebytes: Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
• July 11, 2022 – CERT-UA: Attack by UAC-0056 group on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4941) (Ukrainian)
• July 06, 2022 – CERT-UA: Cyber ​​attack UAC-0056 on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4914) (Ukrainian)
• April 26, 2022 – CERT-UA: UAC-0056 group cyber attack using GraphSteel and GrimPlant malware and the topic of COVID-19 (CERT-UA#4545) (Ukrainian)
• April 25, 2022 – Bitdefender: Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
• April 04, 2022 – Intezer: Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
• April 04, 2022 – NioGuard: Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware
• April 01, 2022 – Malwarebytes: New UAC-0056 activity: There’s a Go Elephant in the room
• March 30, 2022 – CrowdStrike: Who is EMBER BEAR?
• March 28, 2022 – CERT-UA: Cyber ​​attack of the UAC-0056 group on the state bodies of Ukraine using GraphSteel and GrimPlant malware (CERT-UA#4293) (Ukrainian)
• March 15, 2022 – SentinelOne: Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
• March 04, 2022 – Mandiant: Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
• February 25, 2022 – Unit 42: Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
• February 21, 2022 – NSFOCUS: APT Lorec53 group launched a series of cyber attacks against Ukraine
• February 08, 2022 – NSFOCUS: APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government
• February 02, 2022 – CERT-UA: Cyber ​​attack of the UAC-0056 group on state organizations of Ukraine using SaintBot and OutSteel malware (CERT-UA#3799) (Ukrainian)
• January 20, 2022 – Unit 42: Threat Brief: Ongoing Russia and Ukraine Cyber Activity
• January 17, 2022 – Picus: TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine
• January 16, 2022 – NCSCC-UA on Twitter: Operation #BleedingBear
• January 15, 2022 – Microsoft: Destructive malware targeting Ukrainian organizations

2021

• November 28, 2021 – NSFOCUS: 2021 Analysis Report on Lorec53 Group (PDF)
• April 06, 2021 – Malwarebytes: A deep dive into Saint Bot, a new downloader (origin of SaintBear?)

Country: Islamic Republic of Iran Organization: Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) Objective: Espionage, Intelligence collection (Page last updated October 07, 2024)

Aliases:

• APT42 (Mandiant)
• APT35 (Check Point Research, Google Threat Analysis Group)
• Ballistic Bobcat (ESET)
• CALANQUE (Google Threat Analysis Group)
• CharmingCypress (Volexity)
• Charming Kitten (Clearsky, CERT-FA, Bitdefender)
• COBALT ILLUSION (Secureworks)
• ITG18 (IBM)
• Magic Hound (MITRE, Unit 42, Cyble)
• Mint Sandstorm (Microsoft)
• PHOSPHORUS (previously used by Microsoft, The DFIR Report, Deep Instinct, Cybereason)
• TAG-56 (previously used by Recorded Future)
• TA453 (Proofpoint)
• TunnelVision or Tunnel Vision (eSentire, SentinelOne)
• Yellow Garuda (PwC)

Sub-group:

• Nemesis Kitten (CrowdStrike)
• Storm-0270 (Microsoft, formerly tracked as DEV-0270)

Identified Members

• Seyyed Ali Aghamiri (سید علی آقامیری): FBI Most Wanted
• Yasar Balaghi (یاسر بلاغی): FBI Most Wanted
• Masoud Jalili (مسعود جلیلی): FBI Most Wanted

General Information:

• FBI Most Wanted
• Rewards for Justice

Vulnerabilities Exploited

• CVE-2022-47966 (9.8 critical) Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability Source: Microsoft
• CVE-2023-27350 (9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability Source: Microsoft Threat Intelligence
• CVE-2022-47986 (9.8 critical) IBM Aspera Faspex Code Execution Vulnerability. Source: Microsoft
• Log4Shell:
  • CVE-2021-44228 (10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Check Point Research, Microsoft
  • CVE-2021-45046 (9.0 critical) Apache Log4j2 Deserialization of Untrusted Data Vulnerability Source: Microsoft
• CVE-2018-13379 (9.8 critical) Fortinet FortiOS SSL VPN Path Traversal Vulnerability. Source: Microsoft, SentinelOne
• ProxyLogon (Source: Microsoft):
  • CVE-2021-26855 (9.8 critical) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26857 (7.8 high) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26858 (7.8 high) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27065 (7.8 high) Microsoft Exchange Server Remote Code Execution Vulnerability
• ProxyShell (Source: The DFIR Report):
  • CVE-2021-34473 (9.1 critical) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-34523 (9.8 critical) Microsoft Exchange Server Privilege Escalation Vulnerability
    
  • CVE-2021-31207 (6.6 medium) Microsoft Exchange Server Security Feature Bypass Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK

Known Tools Used

External link: MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• September 27, 2024:
  • FBI: Iranian Cyber Actors Targeting Personal Accounts to Support Operations (PDF)
  • U.S. Department of Justice: Three IRGC Cyber Actors Indicted for ‘Hack-and-Leak’ Operation Designed to Influence the 2024 U.S. Presidential Election
  • U.S. Treasury: Treasury Sanctions Iranian Regime Agents Attempting to Interfere in U.S. Elections
  • U.S. State Department: United States Sanctions Iran-Backed Malicious Cyber Actors That Have Attempted to Influence U.S. Elections
  • Rewards for Justice: IRGC Hackers
• August 28, 2024 – Mandiant: I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (note: weak overlap)
• August 23, 2024 – Meta: Taking Action Against Malicious Accounts in Iran
• August 20, 2024 – Proofpoint: Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset
• August 20, 2024 – Recorded Future: GreenCharlie Infrastructure Linked to US Political Campaign Targeting, available as PDF
• August 19, 2024 – CISA: Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts (Note: not explicitly identified)
• August 14, 2024 – Google Threat Analysis Group (TAG): Iranian backed group steps up phishing campaigns against Israel, U.S.
• August 14, 2024 – Harfang Lab: Cyclops: a likely replacement for BellaCiao
• August 08, 2024 – Microsoft Threat Analysis Center Iran Targeting 2024 US Election
• May 22, 2024 – Cyble: Threat Actor Profile: Magic Hound
• May 10, 2024: New Jersey Cybersecurity & Communications Integration Cell (NJ-CCIC): Recent Observed Iranian State-Sponsored Cyber Threat Group Activity (ATTRIBUTION to IRGC-IO)
• May 1, 2024 – Mandiant: Uncharmed: Untangling Iran's APT42 Operations
• February 13, 2024 – Volexity: CharmingCypress: Innovating Persistence
• January 17, 2024 – Microsoft: New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs

2023

• November 09, 2023 – Microsoft: Microsoft shares threat intelligence at CYBERWARCON 2023
• September 11, 2023 – ESET: Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
• June 28, 2023 – Volexity: Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
• July 06, 2023 – Proofpoint: Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware
• April 26, 2023 – Bitdefender: Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware
• April 18, 2023 – Microsoft: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
• March 09, 2023 – Secureworks: COBALT ILLUSION Masquerades as Atlantic Council Employee

2022

• December 14, 2022 – Proofpoint: Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations
• December 12, 2022 – SOCRadar: Dark Web Profile: APT42 – Iranian Cyber Espionage Group
• November 29, 2022 – Recorded Future: Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank, available as PDF
• September 27, 2022 – Avertium: An In-Depth Look at APT35 aka Charming Kitten
• September 14, 2022 – U.S. Treasury: Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity (ATTRIBUTION to IRGC, links “Tunnel Vision” to Charming Kitten)
• September 13, 2022 – Proofpoint: Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO
• September 09, 2022 – CERT-FA: Charming Kitten: “Can We Have A Meeting?”
• September 07, 2022 – Mandiant: APT42: Crooked Charms, Cons, and Compromises, available as PDF
• September 07, 2022 – Microsoft: Profiling DEV-0270: PHOSPHORUS’ ransomware operations
• August 23, 2022 – Google Threat Analysis Group (TAG): New Iranian APT data extraction tool
• July 22, 2022 – PwC: Old cat, new tricks, bad habits
• June 01, 2022 – Deep Instinct: Iranian Threat Actor Continues to Develop Mass Exploitation Tools
• March 30, 2022 – Recorded Future: Social Engineering Remains Key Tradecraft for Iranian APTs, available as PDF
• March 21, 2022 – The DFIR Report: PHOSPHORUS Automates Initial Access Using ProxyShell
• March 09, 2022 – eSentire: Exploitation of VMware Horizon Servers by TunnelVision Threat Actor
• February 17, 2022 – SentinelOne: Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
• February 01?, 2022 – Cybereason: PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
• January 11, 2022 – Check Point Research: APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit

2021

• November 16, 2021 – Microsoft: Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021
• November 15, 2021 – The DFIR Report: Exchange Exploit Leads to Domain Wide Ransomware
• October 14, 2021 – Google Threat Analysis Group (TAG): Countering threats from Iran
• August 04, 2021 – IBM: ITG18: Operational security errors continue to plague sizable Iranian threat group
• July 13, 2021 – Proofpoint: Operation SpoofedScholars: A Conversation with TA453
• March 30, 2021 – Proofpoint: BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns
• January 08, 2021 – CERT-FA: Charming Kitten’s Christmas Gift

2020

• October 28, 2020 – Microsoft: Cyberattacks target international conference attendees
• August 27, 2020 – Clearsky: The Kittens Are Back in Town 3, available as PDF
• July 16, 2020 – IBM: New Research Exposes Iranian Threat Group Operations
• January 30, 2020 – CERT-FA: Fake Interview: The New Activity of Charming Kitten

2019

• October 07, 2019 – Clearsky: The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods
• October 04, 2019 – Microsoft: Recent cyberattacks require us all to be vigilant
• September 15, 2019 – Clearsky: The Kittens Are Back in Town Charming Kitten – Campaign Against Academic Researchers
• March 17, 2019 – Microsoft: New steps to protect customers from hacking

2018

• December 13, 2018 – CERT-FA: The Return of The Charming Kitten

2017

• December 05, 2017 – Clearsky: Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets available as a PDF (PDF)
• February 06, 2017 – Iran Threats: iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)

2016

• November 11, 2016 – Iran Threats: Fictitious Profiles and WebRTC’s Privacy Leaks Used to Identify Iranian Activists
• April 27, 2016 – Kaspersky: Freezer Paper around Free Meat

Country: People's Republic of China (PRC) Organization: Hainan State Security Department (HSSD), of the Ministry of State Security (MSS) Objective: Espionage

Aliases:

• Bronze Mohawk (Secureworks)
• Leviathan/Kryptonite Panda (CrowdStrike)
• Gadolinium (formerly used by Microsoft)
• Gingam Typhoon (Microsoft)
• FEVERDREAM, G0065, GreenCrash, Hellsing, Mudcarp, Periscope
• Temp.Periscope/ Temp.Jumper (FireEye)

Front Company

• Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun) (Note: disbanded)

Identified Members

• Ding Xiaoyang (丁晓阳)
• Cheng Qingmin (程庆民)
• Zhu Yunmin (朱允敏)
• Wu Shurong (吴淑荣)

References:

Links (Sorted in Chronological Order)

2021

• July 20, 2021 – CISA: Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department
• July 19, 2021 – U.S. Department of Justice: Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research

2020

• September 24/ 2020 – Microsoft: Microsoft Security—detecting empires in the cloud

2019

• March 04, 2019 – Mandiant: APT40: Examining a China-Nexus Espionage Actor

Country: People's Republic of China Organization: N/A Objective: Espionage (Page Last Updated: November 19, 2024)

Aliases:

• Volt Typhoon (Microsoft)
• Vanguard Panda (CrowdStrike)
• Bronze Silhouette (Secureworks)
• DEV-0391 (Microsoft)
• UNC3236 (Mandiant)
• UNC5291 (Note: moderate confidence by Mandiant)
• Voltzite (Dragos)
• Insidious Taurus (Unit 42)

Vulnerabilities Exploited

• CVE-2024-39717 (CVSSv3.1: 6.6 medium, in CISA's KEV Catalog) Versa Director Dangerous File Type Upload Vulnerability Source: Lumen
• CVE-2022-42475 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability Source: CISA
• Source: Versa Networks
  • CVE-2023-27997 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
  • CVE-2024-21762 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS Out-of-Bound Write Vulnerability
  • CVE-2023-46805 (CVSSv3.1: 8.2 high, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
  • CVE-2024-21887 (CVSSv3.1: 9.1 critical, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Command Injection Vulnerability

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• November 19, 2024 – Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
• November 12, 2024 – Security Scorecard: The Botnet is Back: SSC STRIKE Team Uncovers a Renewed Cyber Threat
• November 05, 2024 – Bloomberg: Chinese Group Accused of Hacking Singtel in Telecom Attacks (news article, archive link)
• August 27, 2024 – Lumen: Taking the Crossroads: The Versa Director Zero-Day Exploitation
• June 12, 2024 – Natto Thoughts: Who is Volt Typhoon? A State-sponsored Actor? Or Dark Power?
• April 04, 2024 – Mandiant: Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
• March 20, 2024 – ASD ACSC: PRC State-Sponsored Cyber Activity
• February 14?, 2024 – Dragos: VOLTZITE Espionage Operations Targeting U.S. Critical Systems and (7 page PDF)
• February 14, 2024 – Unit 42: Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
• February 07, 2024 – Lumen: KV-Botnet: Don’t call it a Comeback
• February 07, 2024 – CISA:
  • PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
  • Joint Guidance: Identifying and Mitigating Living Off the Land Techiques (PDF)
  • MAR-10448362-1.v1 Volt Typhoon
• January 31, 2024 – U.S. Department of Justice: U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure
• January 31, 2024 – CISA: Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers and (2 page PDF)
• January 11, 2024 – Security Scorecard: Threat Intelligence Research: Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days

2023

• December 13, 2023 – Lumen: Routers Roasting on an Open Firewall: the KV-botnet Investigation
• June 23, 2023 – CrowdStrike: Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft
• May 24, 2023 – Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
• May 24, 2023 – CISA: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
• May 24, 2023 – Secureworks: Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. Objective: Espionage WORK IN PROGRESS! (Page last updated: September 09, 2024)

Aliases:

• APT28 (MITRE, Mandiant)
• Fancy Bear (CrowdStrike)
• Sofacy (F-Secure)
• Sednit or Sednit Group (ESET)
• Group 74 (Cisco Talos Intelligence)
• IRON TWILIGHT (Secureworks)
• Strontium (formerly used by Microsoft)
• Forest Blizzard (Microsoft)
• Pawn Storm (Trend Micro)
• Swallowtail (Symantec)
• BlueDelta (Recorded Future)
• UAC-0028 (CERT-UA)
• TA422 (Proofpoint)
• Fighting Ursa (Unit 42)
• FROZENLAKE (Google Threat Analysis Group)

Possible Ties

• UAC-0063 (according to CERT-UA)

Identified Members

Still parsing through the indictments.

Vulnerabilities Exploited

Coming soon! There's a lot.

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• August 02, 2024 – Unit 42: Fighting Ursa Luring Targets With Car for Sale
• July 22, 2024 – Computer Emergency Response Team of Ukraine (CERT-UA): UAC-0063 атакує науково-дослідні установи України: HATVIBE + CHERRYSPY + CVE-2024-23692 (CERT-UA#10356) (Ukrainian)
• June 12, 2024 – Mandiant / Google TAG: Insights on Cyber Threats Targeting Users and Enterprises in Brazil
• May 3, 2024 – U.S. State Department: The United States Condemns Malicious Cyber Activity Targeting Germany, Czechia, and Other EU Member States
• April 22, 2024 – Microsoft: Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
• February 27, 2024 – NSA: Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations
• February 15, 2024 – U.S. Department of Justice: Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)
• February 14, 2024 – Microsoft: Staying ahead of threat actors in the age of AI

2023

• April 18, 2023 – CISA: APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers
• April 18, 2023 – NCSC-UK: Malware Analysis Report: Jaguar Tooth (PDF)
• March 24, 2023 – Microsoft: Guidance for investigating attacks using CVE-2023-23397

2022

• May 09, 2022 – CISA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
• April 07, 2022 – Microsoft: Disrupting cyberattacks targeting Ukraine

2021

• July 1, 2021 – U.S. Department of Defense: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments (PDF)

2020

• October 22, 2020 – UK Government: UK enforces new sanctions against Russia for cyber attack on German Parliament
• September 10, 2020 – Microsoft: STRONTIUM: Detecting new patterns in credential harvesting

2018

• October 4, 2018 – UK Government: Minister for Europe statement: attempted hacking of the OPCW by Russian military intelligence
• October 4, 2018 – GCHQ: Reckless campaign of cyber attacks by Russian military intelligence service exposed
• May 23, 2018 – DOJ: Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices

2016

• August 06, 2016 – Microsoft: Microsoft Corporation v. John Does 1-2 (PDF, Civil Action No: 1:16-CV-993)

2015

• November 16, 2015 – Microsoft: Microsoft Security Intelligence Report Volume 19 (PDF, page 13)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Russia Organization: Foreign Intelligence Service (SVR) Objective: Espionage

Aliases:

• APT29 (MITRE, Mandiant, Kaspersky, BlackBerry, Infoblox, )
• Cozy Bear (CrowdStrike)
• The Dukes (F-Secure)
• Group 100 (Talos)
• Iron Hemlock (SecureWorks)
• Nobelium (formerly used by Microsoft)
• Midnight Blizzard (Microsoft)
• Iron Hemlock (SecureWorks)
• Cloaked Ursa (Palo Alto)
• BlueBravo (Recorded Future)
• Cloaked Ursa (Unit 42)

Links

• CISA:
  • SVR Cyber Actors Adapt Tactics for Initial Cloud Access (February 26, 2024)
  • Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (December 13, 2023)
  • Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise (May 21, 2021)
  • Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders (April 26, 2021)
  • Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool (April 15, 2021)
  • Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments (January 8, 2021)
  • Enhanced Analysis of GRIZZLY STEPPE Activity (February 10, 2017)
• NCSC-UK:
  • UK and allies expose evolving tactics of Russian cyber actors (February 26, 2024)
  • Joint advisory: Further TTPs associated with SVR cyber actors (May 7, 2021)
  • Advisory: APT29 targets COVID-19 vaccine development (July 16, 2020)
• Mandiant: APT29 Uses WINELOADER to Target German Political Parties (March 22, 2024)
• Microsoft:
  • Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (March 08, 2024)
  • Midnight Blizzard: Guidance for responders on nation-state attack (January 25, 2024)
  • Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (January 19, 2024)
  • Midnight Blizzard conducts targeted social engineering over Microsoft Teams (August 2, 2023)
  • MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (August 24, 2022)
  • NOBELIUM targeting delegated administrative privileges to facilitate broader attacks (October 25, 2021)