-
Notifications
You must be signed in to change notification settings - Fork 259
/
tidal-campaigns.json
1854 lines (1854 loc) · 149 KB
/
tidal-campaigns.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"authors": [
"Tidal Cyber"
],
"category": "Campaigns",
"description": "Tidal Campaigns Cluster",
"name": "Tidal Campaigns",
"source": "https://app-api.tidalcyber.com/api/v1/campaigns/",
"type": "campaigns",
"uuid": "3db4b6cb-5b89-4096-a057-e0205777adc9",
"values": [
{
"description": "[2015 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/96e367d0-a744-5b63-85ec-595f505248a3) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) (specifically BlackEnergy3) and [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.",
"meta": {
"campaign_attack_id": "C0028",
"first_seen": "2015-12-01T05:00:00Z",
"last_seen": "2016-01-01T05:00:00Z",
"source": "MITRE",
"tags": [
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
]
},
"related": [],
"uuid": "96e367d0-a744-5b63-85ec-595f505248a3",
"value": "2015 Ukraine Electric Power Attack"
},
{
"description": "[2016 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/06197e03-e1c1-56af-ba98-5071f98f91f1) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666).<sup>[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)]</sup><sup>[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]</sup>",
"meta": {
"campaign_attack_id": "C0025",
"first_seen": "2016-12-01T05:00:00Z",
"last_seen": "2016-12-01T05:00:00Z",
"source": "MITRE",
"tags": [
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
]
},
"related": [],
"uuid": "06197e03-e1c1-56af-ba98-5071f98f91f1",
"value": "2016 Ukraine Electric Power Attack"
},
{
"description": "The [2022 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/a79e06d1-df08-5c72-9180-2c373274f889) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://app.tidalcyber.com/software/62d0ddcd-790d-4d2d-9d94-276f54b40cf0), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.<sup>[[Mandiant-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/7ad64744-2790-54e4-97cd-e412423f6ada)]</sup><sup>[[Dragos-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/a17aa1b1-cda4-5aeb-b401-f4fd47d29f93)]</sup> ",
"meta": {
"campaign_attack_id": "C0034",
"first_seen": "2022-06-01T04:00:00Z",
"last_seen": "2022-10-01T04:00:00Z",
"source": "MITRE",
"tags": [
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
]
},
"related": [],
"uuid": "a79e06d1-df08-5c72-9180-2c373274f889",
"value": "2022 Ukraine Electric Power Attack"
},
{
"description": "In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup><sup>[[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]</sup>\n\n**Related Vulnerabilities**: CVE-2022-31199<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>",
"meta": {
"campaign_attack_id": "C3003",
"first_seen": "2022-08-01T00:00:00Z",
"last_seen": "2023-05-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
"15787198-6c8b-4f79-bf50-258d55072fee",
"7cc57262-5081-447e-85a3-31ebb4ab2ae5"
]
},
"related": [],
"uuid": "87e14285-b86f-4f50-8d60-85398ba728b1",
"value": "2023 Increased Truebot Activity"
},
{
"description": "In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.\n\nIvanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a).<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-35078<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>, CVE-2023-35081<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>",
"meta": {
"campaign_attack_id": "C3007",
"first_seen": "2023-04-01T00:00:00Z",
"last_seen": "2023-07-28T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"2d80c940-ba2c-4d45-8272-69928953e9eb",
"15787198-6c8b-4f79-bf50-258d55072fee",
"a98d7a43-f227-478e-81de-e7299639a355",
"81e948b3-5ec0-4df8-b6e7-1b037b1b2e67",
"7551097a-dfdd-426f-aaa2-a2916dd9b873"
]
},
"related": [],
"uuid": "33fd2417-0a9c-4748-ab99-0e641ab29fbc",
"value": "2023 Ivanti EPMM APT Vulnerability Exploits"
},
{
"description": "In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.\n\nAfter gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>\n\nIn addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a).\n\n**Related Vulnerabilities**: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>",
"meta": {
"campaign_attack_id": "C3009",
"first_seen": "2023-01-01T00:00:00Z",
"last_seen": "2023-04-01T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"15787198-6c8b-4f79-bf50-258d55072fee",
"a98d7a43-f227-478e-81de-e7299639a355",
"7e6ef160-8e4f-4132-bdc4-9991f01c472e",
"793f4441-3916-4b3d-a3fd-686a59dc3de2",
"532b7819-d407-41e9-9733-0d716b69eb17"
]
},
"related": [],
"uuid": "d25f0485-fdf3-4b85-b2ec-53e98e215d0b",
"value": "2023 Zoho ManageEngine APT Exploits"
},
{
"description": "AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.<sup>[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]</sup>",
"meta": {
"campaign_attack_id": "C3030",
"first_seen": "2022-05-01T00:00:00Z",
"last_seen": "2023-03-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2e5f6e4a-4579-46f7-9997-6923180815dd",
"8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "cf42d51a-8002-4f04-a930-21c15115769f",
"value": "AMBERSQUID"
},
{
"description": "In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.<sup>[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]</sup>",
"meta": {
"campaign_attack_id": "C3048",
"first_seen": "2021-03-01T00:00:00Z",
"last_seen": "2024-05-30T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"27a117ce-bb19-4f79-9bc2-a851b69c5c50",
"6070668f-1cbd-4878-8066-c636d1d8659c",
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
"4f4744b0-8401-423c-9ed0-3cb2985d9fd3",
"ddfaecd0-bd3e-41ac-85c7-ca2156684343",
"0dbed83d-af67-4ce0-a1ee-16f1165fdc0f",
"6422a882-7606-4aa3-b994-f917f53c2ada",
"c1b123d2-ce58-4345-8482-d1da27b3c053",
"f166e59e-9877-4102-a39b-fae38df4b790",
"6a82d685-3f77-498d-91c3-a759292ec2da",
"a32a757a-9d6b-43ca-ac4b-5f695dd0f110",
"ac70560d-c3e7-4b40-a4d6-a3287e3d952b",
"75f62312-a7ee-4534-8c8a-e3b7366a3a4b",
"887d1cfe-d0c5-431c-8dce-0e1b9a2505aa",
"96eec53f-355c-406c-87ba-18c3be4c69a1",
"54fafdbe-1ea0-4f48-99ad-757c8fe50df2",
"35b334ec-4169-4898-ab90-487eea7feb69",
"4ac4e1b9-2192-47ac-a4d1-3a31aa0f2140",
"936a56f5-a4f1-42d8-83b7-c44399ead661",
"0d19ceed-28f6-4258-b365-f6e6f296121d",
"037cc75c-9683-49db-aaa8-c8142763bb87",
"ff71ed89-8355-4abc-9da4-eb4768a38c9c",
"6fade0a3-0c26-4a11-b81e-25d20e38bdd3",
"3b54d8a5-580f-43bf-a12d-8e011f953bad",
"0f6e72e1-ba8f-4d1d-920d-d8945a4fee59",
"7bbc5366-897a-4505-bc68-3a18e3d4cf44",
"4cd85398-c33a-4374-9a76-2bbf297cca63",
"5ec8231e-70e9-4675-b922-368bcb9e914a",
"21c64d34-e52a-42ba-a8c7-85aa82dc0b3f",
"cd9ab9e7-248f-4097-b120-a42834ce0f89",
"91ddbeac-b587-4978-a80d-543a5d96cb77",
"b8448700-7ed0-48b8-85f5-ed23e0d9ab97",
"12b074b9-6748-4ad7-880f-836cb80587e1",
"45f92502-0775-4fc6-8fcd-97b325ea49a9",
"cddb4563-fe90-4c72-be81-6256d175a698",
"69f278d7-194f-42d0-8f83-11de9f861264",
"f0c58aa3-5d21-4ade-95a0-b775dde7e8a3",
"5f9b1c23-81f8-4aa3-8d97-235302e77eec",
"d842c7ff-e3d3-4534-9ed7-283752f4bbe2",
"ecd84106-2a5b-4d25-854e-b8d1f57f6b75",
"7e6ef160-8e4f-4132-bdc4-9991f01c472e",
"532b7819-d407-41e9-9733-0d716b69eb17",
"e401022a-36ac-486d-8503-dd531410a927",
"173e1480-8d9b-49c5-854d-594dde9740d6",
"7551097a-dfdd-426f-aaa2-a2916dd9b873",
"c475ad68-3fdc-4725-8abc-784c56125e96",
"08809fa0-61b6-4394-b103-1c4d19a5be16",
"4ac8dcde-2665-4066-9ad9-b5572d5f0d28",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172"
]
},
"related": [],
"uuid": "458dc371-5dc2-4e6c-8157-3a872dd29726",
"value": "Andariel Espionage Activity"
},
{
"description": "Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).<sup>[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]</sup>",
"meta": {
"campaign_attack_id": "C3038",
"first_seen": "2024-04-01T00:00:00Z",
"last_seen": "2024-04-30T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "2b869157-0b66-42fc-8ead-171160412660",
"value": "April 2024 FIN7 Malvertising Campaign"
},
{
"description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>",
"meta": {
"campaign_attack_id": "C3008",
"first_seen": "2021-01-01T00:00:00Z",
"last_seen": "2021-12-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"f01290d9-7160-44cb-949f-ee4947d04b6f",
"b20e7912-6a8d-46e3-8e13-9a3fc4813852"
]
},
"related": [],
"uuid": "ed8de8c3-03d2-4892-bd74-ccbc9afc3935",
"value": "APT28 Cisco Router Exploits"
},
{
"description": "U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.<sup>[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)]</sup> According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.<sup>[[U.S. Justice Department GRU Botnet February 2024](/references/26a554dc-39c0-4638-902d-7e84fe01b961)]</sup>",
"meta": {
"campaign_attack_id": "C3027",
"first_seen": "2022-12-01T00:00:00Z",
"last_seen": "2024-01-01T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"6070668f-1cbd-4878-8066-c636d1d8659c",
"d8f7e071-fbfd-46f8-b431-e241bb1513ac",
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"a98d7a43-f227-478e-81de-e7299639a355",
"916ea1e8-d117-45a4-8564-0597a02b06e4",
"b20e7912-6a8d-46e3-8e13-9a3fc4813852",
"e809d252-12cc-494d-94f5-954c49eb87ce"
]
},
"related": [],
"uuid": "2514a83a-3516-4d5d-a13c-2b6175989a26",
"value": "APT28 Router Compromise Attacks"
},
{
"description": "UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.<sup>[[U.S. CISA APT29 Cloud Access](/references/e9e08eca-1e01-4ff0-a8ef-49ecf66aaf3d)]</sup>",
"meta": {
"campaign_attack_id": "C3028",
"first_seen": "2023-02-26T00:00:00Z",
"last_seen": "2024-02-26T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"291c006e-f77a-4c9c-ae7e-084974c0e1eb"
]
},
"related": [],
"uuid": "c1257a02-716f-4477-9eab-c38827418ed2",
"value": "APT29 Cloud TTP Evolution"
},
{
"description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nIn December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.\n\nCVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.\n\nJetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a).<sup>[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]</sup>",
"meta": {
"campaign_attack_id": "C3017",
"first_seen": "2023-09-01T00:00:00Z",
"last_seen": "2023-12-14T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"08809fa0-61b6-4394-b103-1c4d19a5be16",
"4a457eb3-e404-47e5-b349-8b1f743dc657"
]
},
"related": [],
"uuid": "80ae546a-70e5-4427-be1d-e74efc428ffd",
"value": "APT29 TeamCity Exploits"
},
{
"description": "On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.<sup>[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]</sup>",
"meta": {
"campaign_attack_id": "C3047",
"first_seen": "2022-04-01T00:00:00Z",
"last_seen": "2022-09-30T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"96d58ca1-ab18-4e53-8891-d8ba62a47e5d",
"6070668f-1cbd-4878-8066-c636d1d8659c",
"d8f7e071-fbfd-46f8-b431-e241bb1513ac",
"758c3085-2f79-40a8-ab95-f8a684737927",
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
"35e694ec-5133-46e3-b7e1-5831867c3b55",
"375983b3-6e87-4281-99e2-1561519dd17b",
"3ed2343c-a29c-42e2-8259-410381164c6a",
"a46c422c-5dad-49fc-a4ac-169a075a4d9a",
"2eeef0b4-08b5-4d25-84f7-25d41fe6305b",
"64d3f7d8-30b7-4b03-bee2-a6029672216c",
"7e6ef160-8e4f-4132-bdc4-9991f01c472e",
"b20e7912-6a8d-46e3-8e13-9a3fc4813852"
]
},
"related": [],
"uuid": "3db5682a-0b99-4653-b487-bd0d30292a19",
"value": "APT40 Recent Tradecraft"
},
{
"description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"APT41 DUST\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nIn July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.<sup>[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]</sup>",
"meta": {
"campaign_attack_id": "C3049",
"first_seen": "2023-03-21T00:00:00Z",
"last_seen": "2024-07-16T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "ea6266fd-50a7-4223-ade3-e60c3467f540",
"value": "APT41 2023-2024 Persistence & Exfiltration Activity (Deprecated)"
},
{
"description": "[APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae) was conducted by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. [APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae) targeted sectors such as shipping, logistics, and media for information gathering purposes. [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) used previously-observed malware such as [DUSTPAN](https://app.tidalcyber.com/software/78454d3f-fa12-5b6f-9390-6412064d7c8d) as well as newly observed tools such as [DUSTTRAP](https://app.tidalcyber.com/software/ed72d5bb-2cf7-51a4-9d76-97fbd11c54d0) in [APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae).<sup>[[Google Cloud APT41 2024](https://app.tidalcyber.com/references/33bb9f8a-db9d-5dda-b4ae-2ba7fee0a0ae)]</sup>",
"meta": {
"campaign_attack_id": "C0040",
"first_seen": "2023-01-31T23:00:00Z",
"last_seen": "2024-06-30T22:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "b90adbbd-0fe3-5c5f-9433-543a5f01b0ae",
"value": "APT41 DUST"
},
{
"description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.<sup>[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]</sup> The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>",
"meta": {
"campaign_attack_id": "C3036",
"first_seen": "2023-11-01T00:00:00Z",
"last_seen": "2024-02-29T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"a159c91c-5258-49ea-af7d-e803008d97d3",
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"15787198-6c8b-4f79-bf50-258d55072fee",
"6bb2f579-a5cd-4647-9dcd-eff05efe3679",
"c25f341a-7030-4688-a00b-6d637298e52e",
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
"2e85babc-77cd-4455-9c6e-312223a956de",
"0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3"
]
},
"related": [],
"uuid": "ccc6401a-b79f-424b-8617-3c2d55475584",
"value": "ArcaneDoor"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.<sup>[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]</sup>",
"meta": {
"campaign_attack_id": "C3034",
"first_seen": "2024-01-01T00:00:00Z",
"last_seen": "2024-01-01T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2e5f6e4a-4579-46f7-9997-6923180815dd",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "9779935d-e316-4482-bec8-3d0704a26dc0",
"value": "AWS Data Theft & Ransom Attack"
},
{
"description": "Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.<sup>[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]</sup>",
"meta": {
"campaign_attack_id": "C3031",
"first_seen": "2023-12-01T00:00:00Z",
"last_seen": "2024-01-19T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2e5f6e4a-4579-46f7-9997-6923180815dd",
"8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "a94a5919-953e-4607-aaa4-dfccf6d938b5",
"value": "AWS Fargate Cryptojacking Activity"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.<sup>[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]</sup>",
"meta": {
"campaign_attack_id": "C3032",
"first_seen": "2022-05-20T00:00:00Z",
"last_seen": "2022-05-20T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2e5f6e4a-4579-46f7-9997-6923180815dd",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "64bddb9e-8bb4-481e-851a-0ddd7ba34615",
"value": "AWS Lambda Credential Theft & Phishing Attack"
},
{
"description": "Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.<sup>[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)]</sup><sup>[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]</sup>",
"meta": {
"campaign_attack_id": "C3037",
"first_seen": "2024-04-15T00:00:00Z",
"last_seen": "2024-05-15T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "b6ce227e-7240-4591-a8b9-641822c1f9f4",
"value": "Black Basta Operator Social Engineering Campaign"
},
{
"description": "This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.",
"meta": {
"campaign_attack_id": "C3025",
"first_seen": "2023-03-01T00:00:00Z",
"last_seen": "2024-02-01T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
"84615fe0-c2a5-4e07-8957-78ebc29b4635",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "0e3a0fa7-78eb-4820-9881-d62b04fe6f92",
"value": "Bumblebee Distribution Campaigns 2023-24"
},
{
"description": "[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.<sup>[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]</sup>",
"meta": {
"campaign_attack_id": "C0010",
"first_seen": "2020-12-01T07:00:00Z",
"last_seen": "2022-08-01T06:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "a1e33caf-6eb0-442f-b97a-f6042f21df48",
"value": "C0010"
},
{
"description": "[C0011](https://app.tidalcyber.com/campaigns/4c7386a7-9741-4ae4-8ad9-def03ed77e29) was a suspected cyber espionage campaign conducted by [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25)'s historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.<sup>[[Cisco Talos Transparent Tribe Education Campaign July 2022](https://app.tidalcyber.com/references/acb10fb6-608f-44d3-9faf-7e577b0e2786)]</sup> ",
"meta": {
"campaign_attack_id": "C0011",
"first_seen": "2021-12-01T06:00:00Z",
"last_seen": "2022-07-01T05:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "4c7386a7-9741-4ae4-8ad9-def03ed77e29",
"value": "C0011"
},
{
"description": "[C0015](https://app.tidalcyber.com/campaigns/85bbff82-ba0c-4193-a3b5-985afd5690c5) was a ransomware intrusion during which the unidentified attackers used [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac), [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5), along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) ransomware playbook based on the observed pattern of activity and operator errors.<sup>[[DFIR Conti Bazar Nov 2021](https://app.tidalcyber.com/references/a6f1a15d-448b-41d4-81f0-ee445cba83bd)]</sup>",
"meta": {
"campaign_attack_id": "C0015",
"first_seen": "2021-08-01T05:00:00Z",
"last_seen": "2021-08-01T05:00:00Z",
"source": "MITRE",
"tags": [
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172"
]
},
"related": [],
"uuid": "85bbff82-ba0c-4193-a3b5-985afd5690c5",
"value": "C0015"
},
{
"description": "[C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100) was an [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100) are unknown, however [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) was observed exfiltrating Personal Identifiable Information (PII).<sup>[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]</sup>",
"meta": {
"campaign_attack_id": "C0017",
"first_seen": "2021-05-01T04:00:00Z",
"last_seen": "2022-02-01T05:00:00Z",
"source": "MITRE",
"tags": [
"a98d7a43-f227-478e-81de-e7299639a355"
]
},
"related": [],
"uuid": "a56d7700-c015-52ca-9c52-fed4d122c100",
"value": "C0017"
},
{
"description": "\n[C0018](https://app.tidalcyber.com/campaigns/0452e367-aaa4-5a18-8028-a7ee136fe646) was a month-long ransomware intrusion that successfully deployed [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0) onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0).<sup>[[Costa AvosLocker May 2022](https://app.tidalcyber.com/references/a94268d8-6b7c-574b-a588-d8fd80c27fd3)]</sup><sup>[[Cisco Talos Avos Jun 2022](https://app.tidalcyber.com/references/1170fdc2-6d8e-5b60-bf9e-ca915790e534)]</sup>",
"meta": {
"campaign_attack_id": "C0018",
"first_seen": "2022-02-01T05:00:00Z",
"last_seen": "2022-03-01T05:00:00Z",
"source": "MITRE",
"tags": [
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172"
]
},
"related": [],
"uuid": "0452e367-aaa4-5a18-8028-a7ee136fe646",
"value": "C0018"
},
{
"description": "[C0021](https://app.tidalcyber.com/campaigns/86bed8da-4cab-55fe-a2d0-9214db1a09cf) was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. [C0021](https://app.tidalcyber.com/campaigns/86bed8da-4cab-55fe-a2d0-9214db1a09cf)'s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity.<sup>[[Microsoft Unidentified Dec 2018](https://app.tidalcyber.com/references/896c88f9-8765-4b60-b679-667b338757e3)]</sup><sup>[[FireEye APT29 Nov 2018](https://app.tidalcyber.com/references/30e769e0-4552-429b-b16e-27830d42edea)]</sup>",
"meta": {
"campaign_attack_id": "C0021",
"first_seen": "2018-11-01T05:00:00Z",
"last_seen": "2018-11-01T05:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "86bed8da-4cab-55fe-a2d0-9214db1a09cf",
"value": "C0021"
},
{
"description": "[C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://app.tidalcyber.com/software/d09c4459-1aa3-547d-99f4-7ac73b8043f0) and [QUIETCANARY](https://app.tidalcyber.com/software/52d3515c-5184-5257-bf24-56adccb4cccd) malware to previous [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) malware victims in Ukraine through re-registered [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) C2 domains. Several tools and tactics used during [C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) were consistent with historic [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) operations.<sup>[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]</sup>",
"meta": {
"campaign_attack_id": "C0026",
"first_seen": "2022-08-01T05:00:00Z",
"last_seen": "2022-09-01T04:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "41f283a1-b2ac-547d-98d5-ff907afd08c7",
"value": "C0026"
},
{
"description": "[C0027](https://app.tidalcyber.com/campaigns/a9719584-4f52-5a5d-b0f7-1059e715c2b8) was a financially-motivated campaign linked to [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://app.tidalcyber.com/campaigns/a9719584-4f52-5a5d-b0f7-1059e715c2b8) [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.<sup>[[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]</sup>\n",
"meta": {
"campaign_attack_id": "C0027",
"first_seen": "2022-06-01T04:00:00Z",
"last_seen": "2022-12-01T05:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "a9719584-4f52-5a5d-b0f7-1059e715c2b8",
"value": "C0027"
},
{
"description": "[C0032](https://app.tidalcyber.com/campaigns/c26b3156-8472-5b87-971f-41a7a4702268) was an extended campaign suspected to involve the [Triton](https://app.tidalcyber.com/software/) adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the [Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b).<sup>[[FireEye TRITON 2019](https://app.tidalcyber.com/references/49c97b85-ca22-400a-9dc4-6290cc117f04)]</sup>",
"meta": {
"campaign_attack_id": "C0032",
"first_seen": "2014-10-01T04:00:00Z",
"last_seen": "2017-01-01T05:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "c26b3156-8472-5b87-971f-41a7a4702268",
"value": "C0032"
},
{
"description": "[C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was a [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) campaign during which they used [StrongPity](https://app.tidalcyber.com/software/ed563524-235e-4e06-8c69-3f9d8ddbfd8a) to target Android users. [C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was the first publicly documented mobile campaign for [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0), who previously used Windows-based techniques.<sup>[[welivesec_strongpity](https://app.tidalcyber.com/references/1b89df2c-e756-599a-9f7f-a5230db9de46)]</sup>",
"meta": {
"campaign_attack_id": "C0033",
"first_seen": "2016-05-01T07:00:00Z",
"last_seen": "2023-01-01T08:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "c5d35d8d-fe96-5210-bb57-4692081a25a9",
"value": "C0033"
},
{
"description": "Actors associated with the North Korean threat group Citrine Sleet were observed exploiting a zero-day vulnerability (CVE-2024-7971) in Chromium web browser software to achieve remote code execution in target environments. Actors were observed delivering FudModule, an advanced rootkit tool, during the attacks.<sup>[[Microsoft Security Blog August 30 2024](/references/d7ef2e80-30c0-47ce-91d4-db1690c6c689)]</sup>",
"meta": {
"campaign_attack_id": "C3055",
"first_seen": "2024-08-19T00:00:00Z",
"last_seen": "2024-08-30T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"a38ef717-4427-4aa0-9666-bb97c6ff45f3",
"b9c973c9-062d-4cbd-8bfe-98d0b4e547eb",
"a98d7a43-f227-478e-81de-e7299639a355",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "3ecdd876-7e93-4877-9032-49170c65a864",
"value": "Citrine Sleet Chromium Zero-Day Exploit Activity (CVE-2024-7971)"
},
{
"description": "Microsoft researchers observed threat actors, believed to be members of the Citrine Sleet aka DEV-0139 group, launch an apparently targeted attack against an organization in the cryptocurrency industry.<sup>[[Microsoft DEV-0139 December 6 2022](/references/f9c070f1-aa83-45a3-bffb-c90f4caf5926)]</sup>",
"meta": {
"campaign_attack_id": "C3056",
"first_seen": "2024-06-18T00:00:00Z",
"last_seen": "2022-10-19T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "dd4f230d-198b-45d5-b0f9-55ee725cd836",
"value": "Citrine Sleet Cryptocurrency Industry Attack"
},
{
"description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup> Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.<sup>[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-34362<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup>",
"meta": {
"campaign_attack_id": "C3005",
"first_seen": "2023-05-27T00:00:00Z",
"last_seen": "2023-06-16T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"5e7433ad-a894-4489-93bc-41e90da90019",
"a98d7a43-f227-478e-81de-e7299639a355",
"173e1480-8d9b-49c5-854d-594dde9740d6"
]
},
"related": [],
"uuid": "f20c935b-e0c5-4941-b710-73cf06dd2b4a",
"value": "Clop MOVEit Transfer Vulnerability Exploitation"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
"campaign_attack_id": "C3022",
"first_seen": "2023-11-14T00:00:00Z",
"last_seen": "2023-11-24T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"fe28cf32-a15c-44cf-892c-faa0360d6109",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4",
"value": "Cloudflare Thanksgiving 2023 security incident"
},
{
"description": "Actors deploying a variant of the Mirai botnet, known as Corona, were observed exploiting a zero-day vulnerability (CVE-2024-7029) to achieve initial infection of new devices with the botnet. The vulnerability enables remote code execution on affected devices (AVTECH closed-circuit television (CCTV) cameras), which actors abused to ingress their main payloads.<sup>[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]</sup>",
"meta": {
"campaign_attack_id": "C3051",
"first_seen": "2024-03-18T00:00:00Z",
"last_seen": "2024-08-28T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"55cb344a-cbd5-4fd1-a1e9-30bbc956527e",
"f925e659-1120-4b76-92b6-071a7fb757d6",
"06236145-e9d6-461c-b7e4-284b3de5f561",
"a98d7a43-f227-478e-81de-e7299639a355",
"33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "4f1823b1-80ad-4f5d-ba04-a4d4baf37e72",
"value": "Corona Mirai Botnet Zero-Day Exploit Campaign"
},
{
"description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup>",
"meta": {
"campaign_attack_id": "C0004",
"first_seen": "2019-10-01T04:00:00Z",
"last_seen": "2020-11-01T04:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48",
"value": "CostaRicto"
},
{
"description": "[Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.<sup>[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]</sup><sup>[[Volexity Ivanti Zero-Day Exploitation January 2024](https://app.tidalcyber.com/references/93eda380-ea21-59e0-97e8-5bec1f9a0e71)]</sup><sup>[[Volexity Ivanti Global Exploitation January 2024](https://app.tidalcyber.com/references/b96fa4f2-864d-5d88-9a29-b117da8f8c5c)]</sup><sup>[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)]</sup><sup>[[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]</sup>",
"meta": {
"campaign_attack_id": "C0029",
"first_seen": "2023-12-01T05:00:00Z",
"last_seen": "2024-02-01T05:00:00Z",
"source": "MITRE",
"tags": [
"fe984a01-910d-4e39-9c49-179aa03f75ab",
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
"758c3085-2f79-40a8-ab95-f8a684737927",
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"35e694ec-5133-46e3-b7e1-5831867c3b55",
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
"15787198-6c8b-4f79-bf50-258d55072fee",
"d1ab6bd6-2688-4e54-a1d3-d180bb8fd41a",
"1ff4614e-0ee6-4e04-921d-61abba7fcdb7",
"e00b65fc-8f56-4a9e-9f09-ccf3124a3272"
]
},
"related": [],
"uuid": "4e605e33-57fe-5bb2-b0ad-ec146aac041b",
"value": "Cutting Edge"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.<sup>[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]</sup>",
"meta": {
"campaign_attack_id": "C3033",
"first_seen": "2024-01-01T00:00:00Z",
"last_seen": "2024-01-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"2e5f6e4a-4579-46f7-9997-6923180815dd"
]
},
"related": [],
"uuid": "8ee9d9f1-9906-4f0d-a4a7-0e6ed1aa4069",
"value": "DangerDev AWS Attack"
},
{
"description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.<sup>[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]</sup>",
"meta": {
"campaign_attack_id": "C3026",
"first_seen": "2022-12-01T00:00:00Z",
"last_seen": "2022-12-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"6070668f-1cbd-4878-8066-c636d1d8659c",
"d8f7e071-fbfd-46f8-b431-e241bb1513ac",
"e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"
]
},
"related": [],
"uuid": "1a2caf4c-658d-4117-a912-55f4d6bca899",
"value": "Defense Sector Supply Chain Compromise by North Korea-Linked Actors"
},
{
"description": "Security researchers observed consistent adversary use of Web Distributed Authoring and Versioning (WebDAV) technology to host malicious files related to Emmenhtal (aka PeakLight), a stealthy loader malware that was then used to ingress various final malicious payloads, including DarkGate, Amadey, and SelfAU3.<sup>[[Sekoia.io Blog September 19 2024](/references/df9ff358-4d1e-4094-92cd-4703c53a384c)]</sup>",
"meta": {
"campaign_attack_id": "C3060",
"first_seen": "2023-12-01T00:00:00Z",
"last_seen": "2024-09-19T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"61085b71-eb19-46d8-a9e6-1ab9d2f3c08d",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "0ca317da-c8d6-4bd5-8c1e-5d581c9095ce",
"value": "Emmenhtal Loader Distribution Activity"
},
{
"description": "ESET researchers observed cyberespionage activity that they linked to the FamousSparrow group, where actors used ProxyLogon and other vulnerability exploits to compromise hotel, legal, and other organizations worldwide and install a backdoor dubbed SparrowDoor, among other post-exploit tools.<sup>[[ESET FamousSparrow September 23 2021](/references/f91d6d8e-22a4-4851-9444-7a066e6b7aa5)]</sup>\n\nAt a similar time, Kaspersky researchers reported activity they linked to the GhostEmperor group, where ProxyLogon was also exploited and similar post-exploit tools were deployed, as well as a rootkit dubbed Demodex. The researchers further indicated that one of the command and control servers identified during their investigation correlated to the FamousSparrow activity that ESET had reported.<sup>[[Kaspersky September 30 2021](/references/8851f554-05c6-4fb0-807e-2ef0bc28e131)]</sup>",
"meta": {
"campaign_attack_id": "C3064",
"first_seen": "2021-03-03T00:00:00Z",
"last_seen": "2021-03-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"915e7ac2-b266-45d7-945c-cb04327d6246",
"e499005b-adba-45bb-85e3-07043fd9edf9",
"8b1cb0dc-dd3e-44ba-828c-55c040e93b93",
"5f5e40cd-0732-4eb4-a083-06940623c3f9",
"15f2277a-a17e-4d85-8acd-480bf84f16b4",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "7fa02214-cd06-480d-af2d-5943be14c6bd",
"value": "FamousSparrow/GhostEmperor Vulnerability Exploit and Post-Compromise Activity"
},
{
"description": "In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>",
"meta": {
"campaign_attack_id": "C3010",
"first_seen": "2023-03-01T00:00:00Z",
"last_seen": "2023-03-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
"2743d495-7728-4a75-9e5f-b64854039792",
"ecd84106-2a5b-4d25-854e-b8d1f57f6b75",
"a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530",
"4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930",
"d385b541-4033-48df-93cd-237ca6e46f36"
]
},
"related": [],
"uuid": "129ffe04-ea90-45d1-a2fd-7ff0bffa0433",
"value": "FIN12 March 2023 Hospital Center Intrusion"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.",
"meta": {
"campaign_attack_id": "C3066",
"first_seen": "2024-06-27T00:00:00Z",
"last_seen": "2024-10-23T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"ef7715f8-526a-4df5-bad3-74b66170a52b",
"a98d7a43-f227-478e-81de-e7299639a355",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "50a2fbb8-e92e-4033-9dfc-d6b47aaab22d",
"value": "FortiManager Zero-Day Exploit Activity (CVE-2024-47575)"
},
{
"description": "[Frankenstein](https://app.tidalcyber.com/campaigns/2fab9878-8aae-445a-86db-6b47b473f56b) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.<sup>[[Talos Frankenstein June 2019](https://app.tidalcyber.com/references/a6faa495-db01-43e8-9db3-d446570802bc)]</sup>",
"meta": {
"campaign_attack_id": "C0001",
"first_seen": "2019-01-01T06:00:00Z",
"last_seen": "2019-04-01T05:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "2fab9878-8aae-445a-86db-6b47b473f56b",
"value": "Frankenstein"
},
{
"description": "[FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign to possible Chinese-speaking threat actors through the use of the [Chinoxy](https://app.tidalcyber.com/software/7c36563a-9143-4766-8aef-4e1787e18d8c) backdoor and noted infrastructure overlap with the TAG-16 threat group.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup><sup>[[Kaspersky APT Trends Q1 2020](https://app.tidalcyber.com/references/23c91719-5ebe-4d03-8018-df1809fffd2f)]</sup><sup>[[Recorded Future Chinese Activity in Southeast Asia December 2021](https://app.tidalcyber.com/references/0809db3b-81a8-475d-920a-cb913b30f42e)]</sup>",
"meta": {
"campaign_attack_id": "C0007",
"first_seen": "2018-07-01T05:00:00Z",
"last_seen": "2020-11-01T04:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "94587edf-0292-445b-8c66-b16629597f1e",
"value": "FunnyDream"
},
{
"description": "In July 2024, Sygnia researchers reported about what they described as an \"updated infection chain\" used to deploy a variant of the Demodex rootkit, associated with the GhostEmperor (AKA FamousSparrow and Salt Typhoon) China-backed cyberespionage group. The attacks, which were discovered at an unspecified time in \"late 2023\", featured malware loading and obfuscation methods distinct from those observed during previous GhostEmperor activity in 2021.<sup>[[Sygnia July 17 2024](/references/7d30acb4-9600-46bd-a800-1c7e1149e9b4)]</sup>",
"meta": {
"campaign_attack_id": "C3065",
"first_seen": "2023-12-01T00:00:00Z",
"last_seen": "2023-12-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "c1447188-c034-408e-a827-55314c698827",
"value": "GhostEmperor/Demodex 2023 Compromise"
},
{
"description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.<sup>[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]</sup>",
"meta": {
"campaign_attack_id": "C3042",
"first_seen": "2023-08-01T00:00:00Z",
"last_seen": "2024-06-24T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"d903e38b-600d-4736-9e3b-cf1a6e436481",
"e551ae97-d1b4-484e-9267-89f33829ec2c"
]
},
"related": [],
"uuid": "1610257c-e2fc-4b05-bd63-5c2cbfb2342e",
"value": "Healthcare Social Engineering & Payment Diversion Activity"
},
{
"description": "[HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for [HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the \"HomeLand Justice\" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.<sup>[[Mandiant ROADSWEEP August 2022](https://app.tidalcyber.com/references/0d81ec58-2e12-5824-aa53-feb0d2260f30)]</sup><sup>[[Microsoft Albanian Government Attacks September 2022](https://app.tidalcyber.com/references/d00399e9-a6c6-5691-92cd-0185b03b689e)]</sup><sup>[[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)]</sup> A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.<sup>[[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)]</sup>\n\n",
"meta": {
"campaign_attack_id": "C0038",
"first_seen": "2021-05-01T04:00:00Z",
"last_seen": "2022-09-01T04:00:00Z",
"source": "MITRE",
"tags": [
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee"
]
},
"related": [],
"uuid": "04329c95-d792-5333-b5bc-13ef2c545d7b",
"value": "HomeLand Justice"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
"campaign_attack_id": "C3021",
"first_seen": "2023-05-01T00:00:00Z",
"last_seen": "2023-12-12T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"15f2277a-a17e-4d85-8acd-480bf84f16b4",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "d1244338-85dd-4650-989a-9df8020860b9",
"value": "HPE Midnight Blizzard Office 365 Email Exfiltration"
},
{
"description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>\n\n**Related Vulnerabilities**: CVE-2021-44228<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>",
"meta": {
"campaign_attack_id": "C3012",
"first_seen": "2022-06-15T00:00:00Z",
"last_seen": "2022-07-15T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"15787198-6c8b-4f79-bf50-258d55072fee",
"7e6ef160-8e4f-4132-bdc4-9991f01c472e"
]
},
"related": [],
"uuid": "7d6ff40d-51f3-42f8-b986-e7421f59b4bd",
"value": "Iranian APT Credential Harvesting & Cryptomining Activity"
},
{
"description": "In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.<sup>[[U.S. CISA Iran Voter Data November 3 2020](/references/be89be75-c33f-4c58-8bf0-979c1debaad7)]</sup>",
"meta": {
"campaign_attack_id": "C3014",
"first_seen": "2020-09-20T00:00:00Z",
"last_seen": "2020-10-20T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber"
},
"related": [],
"uuid": "18cf25b5-ed3a-40f6-bf0a-a3938a4f8da2",
"value": "Iranian APT Targeting U.S. Voter Data"
},
{
"description": "On October 16, 2024, U.S., Canadian, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA24-290A, which detailed attacks by unspecified \"Iranian cyber actors\", who used brute forcing and other credential access techniques to compromise various critical infrastructure entities, including organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The advisory indicated that the actors likely carried out the attacks in order to ultimately sell harvested credentials and victim network information \"to enable access to cybercriminals\".<sup>[[U.S. CISA Iranian Actors Critical Infrastructure October 16 2024](/references/a70a4487-eaae-43b3-bfe0-0677fd911959)]</sup>",
"meta": {
"campaign_attack_id": "C3063",
"first_seen": "2023-10-01T00:00:00Z",
"last_seen": "2024-02-07T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"51006447-540b-4b9d-bdba-1cbff8038ae9",
"35e694ec-5133-46e3-b7e1-5831867c3b55",
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"15787198-6c8b-4f79-bf50-258d55072fee",
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
"291c006e-f77a-4c9c-ae7e-084974c0e1eb",
"15f2277a-a17e-4d85-8acd-480bf84f16b4",
"c9c73000-30a5-4a16-8c8b-79169f9c24aa"
]
},
"related": [],
"uuid": "3b15979c-eabf-41d1-8930-f480106f8430",
"value": "Iranian Cyber Actors Compromise Critical Infrastructure Organizations"
},
{
"description": "In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105<sup>[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)]</sup>, CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591<sup>[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]</sup>",
"meta": {
"campaign_attack_id": "C3013",
"first_seen": "2021-03-01T00:00:00Z",
"last_seen": "2022-09-14T00:00:00Z",
"owner": "TidalCyberIan",