Not Simon 🐐

Country: People's Republic of China Organization: N/A Objective: Espionage (Page Last Updated: October 05, 2024)

Aliases:

Vulnerabilities Exploited

  • ProxyLogon (Sources: ESET, Kaspersky, Sygnia):
    • CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
    • CVE-2021-26857 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
    • CVE-2021-26858 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
    • CVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
  • unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET)
  • CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office Memory Corruption Vulnerability Source: Trend Micro
  • CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Unit 42, Citizen Lab
  • CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Citizen Lab
  • CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy) Microsoft Office Memory Corruption Vulnerability Source: Citizen Lab

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2018

2017

2016

2015

2013

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: People's Republic of China Organization: Integrity Technology Group Objective: Espionage, Information theft (Page last updated: September 23, 2024)

Aliases (sorted alphabetically):

Associated Company

Integrity Technology Group (Integrity Tech) (Source: FBI (PDF)) aka Yongxin Zhicheng, 永信至诚

Vulnerabilities Exploited

Source: FBI

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2020

  • May 20, 2020?? – PRC Ministry of State Security: 前沿 | 网络靶场,未来安全的基础设施 (web archive of a MSS-run periodical reprinted on IntegrityTech's website, English translation: “Frontier | Cyber ​​Range, the secure infrastructure of the future”)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage, Sabotage (Page last updated September 20, 2024)

Aliases (sorted alphabetically):

Sub-group:

Known Associates

  • Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
  • Farzin Karimi Mazlganchai: PwC

Vulnerabilities Exploited

  • CVE-2019-0604 (CVE, NVD. CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Microsoft SharePoint Remote Code Execution Vulnerability Source: Microsoft
  • CVE-2017-11882 (CVE, NVD. CVSSv3.1: 7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Mandiant
  • CVE-2017-0199 (CVE, NVD, CVSS3v1: 7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Unit 42

Tactics, Techniques, and Procedures (TTPs)

Known Tools Used

As listed by MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: People's Republic of China Organization: Loosely connected private contractors operating on behalf of China’s Ministry of State Security (MSS). Some have worked at Chengdu 404 Network Technology Objective: Espionage, Information theft, Financial crime (Page last updated: September 22, 2024)

Aliases (sorted alphabetically):

Subgroups

Identified Members

Associated Company

Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司)

Vulnerabilities Exploited

  • CVE-2018-0824 (7.5 high, in CISA's KEV Catalog) Microsoft COM for Windows Remote Code Execution Vulnerability Source: Cisco
  • CVE-2017-0199 (7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Sources: Clearsky, Fortinet, FireEye
  • CVE-2019-3396 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability. Sources: FireEye, Fortinet
  • CVE-2015-1641 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Fortinet
  • CVE-2012-0158 (8.8 high, in CISA's KEV Catalog) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Fortinet, FireEye
  • CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: FireEye

The following 7 vulnerabilities have the same source: U.S. DOJ

  • CVE-2019-19781 (9.8 critical, in CISA's KEV Catalog) Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability Additional sources: FireEye, Fortinet
  • CVE-2019-11510 (10.0 critical, in CISA's KEV Catalog) Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
  • CVE-2019-16920 (9.8 critical, in CISA's KEV Catalog) D-Link Multiple Routers Command Injection Vulnerability
  • CVE-2019-16278 (9.8 critical) Nostromo 1.9.6 Directory Traversal/ Remote Command Execution Vulnerability
  • CVE-2019-1652 (7.2 high, in CISA's KEV Catalog) Cisco Small Business Routers Improper Input Validation Vulnerability. Additional source: FireEye
  • CVE-2019-1653 (7.5 high, in CISA's KEV Catalog) Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability. Additional source: FireEye
  • CVE-2020-10189 (9.8 critical, in CISA's KEV Catalog) Zoho ManageEngine Desktop Central File Upload Vulnerability. Additional sources: FireEye, Fortinet

The following 2 vulnerabilities have the same source: Mandiant

  • CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).
  • CVE-2021-44207 (8.1 high) Acclaim USAHERDS Hard-Coded Credentials Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2013

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) Objective: Espionage, Sabotage, Assassinations, Influence Operations (Page last updated: September 07, 2024)

Aliases:

Identified Members

Vulnerabilities Exploited

  • CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Unit 42

The following 5 vulnerabilities have the same source: CISA

  • CVE-2021-33044 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
  • CVE-2021-33045 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
  • CVE-2022-26134 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
  • CVE-2022-26138 (9.8 critical, in CISA's KEV Catalog) Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
  • CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog) Sophos Firewall Code Injection Vulnerability

Exploitation Likely

CISA and co-authoring agencies warned on 06 September 2024 that Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for the following 5 vulnerabilities:

  • CVE-2020-1472 (9.8 critical, in CISA's KEV Catalog) Microsoft Netlogon Privilege Escalation Vulnerability
  • CVE-2021-26084 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
  • CVE-2021-3156 (7.8 high, in CISA's KEV Catalog) Sudo Heap-Based Buffer Overflow Vulnerability
  • CVE-2021-4034 (7.8 high, in CISA's KEV Catalog) Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
  • CVE-2022-27666 (7.8 high) Red Hat: IPSec ESP Local Privilege Escalation Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

screenshot of Russia GRU Unit 29155 MITRE ATT&CK TTPs in a visual chart compiled using ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

Country: Islamic Republic of Iran Organization: Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) Objective: Espionage, Intelligence collection (Page last updated September 28, 2024)

Aliases:

Sub-group:

Vulnerabilities Exploited

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK

Known Tools Used

External link: MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2019

2018

2017

2016

Country: People's Republic of China (PRC) Organization: Hainan State Security Department (HSSD), of the Ministry of State Security (MSS) Objective: Espionage

Aliases:

  • Bronze Mohawk (Secureworks)
  • Leviathan/Kryptonite Panda (CrowdStrike)
  • Gadolinium (formerly used by Microsoft)
  • Gingam Typhoon (Microsoft)
  • FEVERDREAM, G0065, GreenCrash, Hellsing, Mudcarp, Periscope
  • Temp.Periscope/ Temp.Jumper (FireEye)

Front Company

  • Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun) (Note: disbanded)

Identified Members

  • Ding Xiaoyang (丁晓阳)
  • Cheng Qingmin (程庆民)
  • Zhu Yunmin (朱允敏)
  • Wu Shurong (吴淑荣)

References:

Links (Sorted in Chronological Order)

2021

2020

2019

Country: People's Republic of China Organization: N/A Objective: Espionage (Page Last Updated: September 08, 2024)

Aliases:

Vulnerabilities Exploited

  • CVE-2024-39717 (CVSSv3.1: 6.6 medium, in CISA's KEV Catalog) Versa Director Dangerous File Type Upload Vulnerability Source: Lumen
  • CVE-2022-42475 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability Source: CISA
  • Source: Versa Networks
    • CVE-2023-27997 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
    • CVE-2024-21762 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS Out-of-Bound Write Vulnerability
    • CVE-2023-46805 (CVSSv3.1: 8.2 high, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
    • CVE-2024-21887 (CVSSv3.1: 9.1 critical, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Command Injection Vulnerability

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. Objective: Espionage WORK IN PROGRESS! (Page last updated: September 09, 2024)

Aliases:

  • APT28 (MITRE, Mandiant)
  • Fancy Bear (CrowdStrike)
  • Sofacy (F-Secure)
  • Sednit or Sednit Group (ESET)
  • Group 74 (Cisco Talos Intelligence)
  • IRON TWILIGHT (Secureworks)
  • Strontium (formerly used by Microsoft)
  • Forest Blizzard (Microsoft)
  • Pawn Storm (Trend Micro)
  • Swallowtail (Symantec)
  • BlueDelta (Recorded Future)
  • UAC-0028 (CERT-UA)
  • TA422 (Proofpoint)
  • Fighting Ursa (Unit 42)
  • FROZENLAKE (Google Threat Analysis Group)

Possible Ties

Identified Members

Still parsing through the indictments.

Vulnerabilities Exploited

Coming soon! There's a lot.

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2018

2016

2015

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Russia Organization: Foreign Intelligence Service (SVR) Objective: Espionage

Aliases:

  • APT29 (MITRE, Mandiant, Kaspersky, BlackBerry, Infoblox, )
  • Cozy Bear (CrowdStrike)
  • The Dukes (F-Secure)
  • Group 100 (Talos)
  • Iron Hemlock (SecureWorks)
  • Nobelium (formerly used by Microsoft)
  • Midnight Blizzard (Microsoft)
  • Iron Hemlock (SecureWorks)
  • Cloaked Ursa (Palo Alto)
  • BlueBravo (Recorded Future)
  • Cloaked Ursa (Unit 42)