Skip to content

Releases: MISP/misp-galaxy

MISP Galaxy 2024110700 has been released with many updates and improvements

07 Nov 08:15
2024110700
a2bfccf
Compare
Choose a tag to compare

MISP Galaxy Release Notes

Release Date: November 7, 2024

Overview:

This release introduces a variety of updates and enhancements to the MISP galaxy and clusters. Highlights include updates to threat actor clusters, the addition of new ransomware groups, and improvements to documentation.

🔗 GitHub repository - https://github.com/MISP/misp-galaxy
🔗 Public website - https://www.misp-galaxy.org/

Screenshot from 2024-11-07 09-14-41

Key Updates:

  1. New Threat Actor Additions and Updates:

    • Added new threat actors such as Blackmeta, DarkRaaS, TaskMasters, SongXY, CeranaKeeper, Awaken Likho, SkidSec, and others.
    • Alias additions for notable actors like APT10, AridViper, and others.
    • Relations and cross-references were established between actors, enhancing the intelligence structure (e.g., Earth Estries and GhostEmperor).
  2. Ransomware Cluster Updates:

    • Comprehensive updates were made to ransomware clusters, reflecting the latest developments and threat intelligence. This cluster is inline with ransomlook.io group information.
  3. Documentation Improvements:

    • README files updated for clarity and improved user guidance.
  4. Cluster Enhancements:

    • "Operation Cobalt Whisper" was added, expanding the range of documented operations.
  5. Producer and Sigma Updates:

    • Added producers such as Recorded Future, Cyble, Cyfirma, and others.
    • Updated Sigma rules and related documentation.

Main contributors for this release:

  • Alexandre Dulaunoy
  • Mathieu4141
  • Delta-Sierra
  • Rony
  • Jean-Louis Huynen

Conclusion:

This release solidifies MISP’s capacity for handling current threat intelligence needs by adding valuable new actors, refining existing documentation, and improving the overall user experience with comprehensive updates.

Notes about tagging

Starting with this release, misp-galaxy will be tagged using the %Y%m%d00 format for each new version. This change enables users to easily verify whether they are using the latest release. The versioning is now independent of the MISP core software, as the project is also utilized as a standalone tool in various other applications.

MISP galaxy v2.4.142 released (to be inline with MISP release)

26 Apr 10:23
v2.4.142
ef9989d
Compare
Choose a tag to compare

v2.4.142 (2021-04-26)

New

  • [att&ck] support for subtechniques. [Christophe Vandeplas]

  • [dev] fix empty strings, lists. [VVX7]

  • [dev] add ASPI's China Defence University Tracker. [VVX7]

    Thanks to Cormac Doherty for writing the web scraper! To update the galaxy run the included gen_defence_university.py script.

    "The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre.

    It includes entries on nearly 100 civilian universities, 50 People’s Liberation Army institutions, China’s nuclear weapons program, three Ministry of State Security institutions, four Ministry of Public Security universities, and 12 state-owned defence industry conglomerates.

    The Tracker is a tool to inform universities, governments and scholars as they engage with the entities from the People’s Republic of China. It aims to build understanding of the expansion of military-civil fusion—the Chinese government’s policy of integrating military and civilian efforts—into the education sector.

    The Tracker should be used to inform due diligence of Chinese institutions. However, the fact that an institution is not included here does not indicate that it should not raise risks or is not involved in defence research. Similarly, entries in the database may not reflect the full range and nature of an institution’s defence and security links." - ASPI (https://unitracker.aspi.org.au/about/)

  • Added Bhadra framework for mobile attacks. [iglocska]

  • [country] galaxy added. [iglocska]

  • [galaxy] AMITT (Adversarial Misinformation and Influence Tactics and Techniques) framework for describing disinformation incidents. AMITT is part of misinfosec - work on adapting information security practices to help track and counter misinformation - and is designed as far as possible to fit existing infosec practices and tools. [VVX7]

  • Added draft of the election guildelines galaxy. [mokaddem]

  • Add entries from Bambenek Consulting. [Raphaël Vinot]

Changes

  • [ransomware] duplicate removed. [Alexandre Dulaunoy]

  • [ransomware] duplicate removed. [Alexandre Dulaunoy]

  • [ransomware] duplicates removed. [Alexandre Dulaunoy]

  • [ransomware] Flyper removed. [Alexandre Dulaunoy]

  • [ransomware] first duplicate removed. [Alexandre Dulaunoy]

  • [ransomware] remove duplicate "File-Locker" [Alexandre Dulaunoy]

  • [malpedia] jq all the file and removed ref duplicates. [Alexandre Dulaunoy]

  • [clusters] fixing broken UUID fix #628. [Alexandre Dulaunoy]

  • [ransomware] fix the broken UUID fix #628. [Alexandre Dulaunoy]

  • [microsoft activity group] HAFNIUM added. [Alexandre Dulaunoy]

  • [tool] SUNSPOT added. [Alexandre Dulaunoy]

  • [rsit] rsit as galaxy name. [Alexandre Dulaunoy]

  • [threat-actor] UNC2452/DarkHalo added - ref. #614. [Alexandre Dulaunoy]

  • [ransomware] Babuk Ransomware added. [Alexandre Dulaunoy]

  • [ransomware] RegretLocker added. [Alexandre Dulaunoy]

  • Fix gh actions. [Raphaël Vinot]

  • Add PR to GH actions. [Raphaël Vinot]

  • [doc] Travis is dead, GH Action is alive. [Alexandre Dulaunoy]

  • [att&ck] update to latest MITRE ATT&CK version. [Christophe Vandeplas]

  • [cryptominer] updated. [Alexandre Dulaunoy]

  • [rename] tea matrix. [Alexandre Dulaunoy]

  • [tea] matrix updated to include brewing time and the milk attack technique. [Alexandre Dulaunoy]

  • [tea] first version. [Alexandre Dulaunoy]

  • [att&ck] no tag for subtechnique. [Christophe Vandeplas]

  • [botnet] Katura mess added. [Alexandre Dulaunoy]

  • [galaxy] fix the name to China Defence Universities Tracker. [Alexandre Dulaunoy]

  • [dev] jq. [VVX7]

  • [dev] gen_defence_university.py no longer outputs empty strings, lists. [VVX7]

  • [threat-actor] remove duplicate references. [Alexandre Dulaunoy]

  • [threat-actor] fix #561 by using new meta to classify as a campaign only. [Alexandre Dulaunoy]

    Based on #469

    There is an old and persistence issue in attribution world and basically no-one really agrees on this. So we decided to start a specific metadata threat-actor-classification on the threat-actor to define the various types per cluster entry:

    • operation:
      • A military operation is the coordinated military actions of a state, or a non-state actor, in response to a developing situation. These actions are designed as a military plan to resolve the situation in the state or actor's favor. Operations may be of a combat or non-combat nature and may be referred to by a code name for the purpose of national security. Military operations are often known for their more generally accepted common usage names than their actual operational objectives. from Wikipedia
      • In the context of MISP threat-actor name, it's a single specific operation.
    • campaign:
      • The term military campaign applies to large scale, long duration, significant military strategy plans incorporating a series of inter-related military operations or battles forming a distinct part of a larger conflict often called a war. The term derives from the plain of Campania, a place of annual wartime operations by the armies of the Roman Republic. from Wikipedia
      • In the context of MISP threat-actor-name, it's long-term activity which might be composed of one or more operations.
    • threat-actor
      • In the context of MISP threat-actor-name, it's an agreed name by a set of organisations.
    • activity group
      • In the context of MISP threat-actor-name, it's a group defined by its set of common techniques or activities.
    • unknown
      • In the context of MISP threat-actor-name, it's still not clear if it's an operation, campaign, threat-actor or activity group

    The meta field is an array to allow specific cluster of threat-actor to show the current disagreement between different organisations about the type (threat actor, activity group, campaign and operation).

  • Bump travis. [Raphaël Vinot]

  • [jq] all the things. [Alexandre Dulaunoy]

  • [preventive-measure] packet filtering added. [Alexandre Dulaunoy]

  • [threat-actor] remove the non-unique elements. [Alexandre Dulaunoy]

  • [ta] fix the JSON. [Alexandre Dulaunoy]

  • [jq] JSON fixed. [Alexandre Dulaunoy]

  • [json] add missing comma. [Alexandre Dulaunoy]

  • [country] jq all. [Alexandre Dulaunoy]

  • [malpedia] fixes. [Alexandre Dulaunoy]

  • [threat-actor] JSON fixed. [Alexandre Dulaunoy]

  • [travis] pip3. [Alexandre Dulaunoy]

  • [ransomware] Nodera ransomware added. [Alexandre Dulaunoy]

  • [threat-actor] typo fixed. [Alexandre Dulaunoy]

  • [threat-actor] format fixed. [Alexandre Dulaunoy]

  • [threat-actor] fix order. [Alexandre Dulaunoy]

  • [threat-actor] Budminer APT added based on document from "Soesanto, Stefan" [Alexandre Dulaunoy]

  • [threat-actor] SideWinder APT group added. [Alexandre Dulaunoy]

  • [threat-actor] jq. [Alexandre Dulaunoy]

  • [dark-pattern] namespace: misp. [Jean-Louis Huynen]

  • [ransomware] jq ;-) [Alexandre Dulaunoy]

  • [clean-up] jq all the things. [Alexandre Dulaunoy]

  • [threat-actor] Lucky Mouse synonym added. [Alexandre Dulaunoy]

  • [threat-actor] Calypso group added. [Alexandre Dulaunoy]

    Ref: https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf
    MISP UUID: 5ca4718b-7f38-4822-83b7-0a1a0a00b412

  • [threat-actor] threat-actor-classification updated. [Alexandre Dulaunoy]

  • [threat-actor] jq is jq. [Alexandre Dulaunoy]

  • [threat-actor] Operation WizardOpium added. [Alexandre Dulaunoy]

    ref: https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/

  • [attack] update to latest ATT&CK data. [Christophe Vandeplas]

  • [attck4fraud] jq all the things. [Alexandre Dulaunoy]

  • [attck4fraud] updates based on issue #466. [Alexandre Dulaunoy]

  • [galaxy] added AMITT galaxy/cluster generator script. [VVX7]

  • [galaxy] version number to int. [VVX7]

  • [misp-galaxy] jq all the things. [Alexandre Dulaunoy]

  • [tool] COMPfun - Reductor added. [Alexandre Dulaunoy]

  • [threat-actor] new LookBack (Malware?Campaign?TA?) [Alexandre Dulaunoy]

  • [threat-actor] Evil Eye and POISON CARP. [Alexandre Dulaunoy]

  • [threat-actor] add machete-apt synonyms as reported in #445. [Alexandre Dulaunoy]

  • [threat-actor] jq all. [Alexandre Dulaunoy]

  • [threat-actor] LYCEUM added - 443 #fixed. [Alexandre Dulaunoy]

  • [threat-actor] rollback as discussed by chat with Andras until version 2.0. [Alexandre Dulaunoy]

  • [att&ck] July ATT&CK release included in MISP galaxy. [Alexandre Dulaunoy]

  • [threat-actor] version updated. [Alexandre Dulaunoy]

  • [threat-actor] duplicated refs removed. [Alexandre Dulaunoy]

  • [threat-actor] synonyms fixed. [Alexandre Dulaunoy]

  • [threat-actor] jq everything. [Alexandre Dulaunoy]

  • [branded_vulnerability] version updated. [Alexandre Dulaunoy]

  • Add PyMISPGalaxies test. [Raphaël Vinot]

  • [attack-pattern] Sync kill-chain with data from MITRE. [mokaddem]

  • [o365-exchange-techniques] Actions on Intent added (finalized) [Alexandre Dulaunoy]

  • [o365-exchange-techniques] Expansion added (WiP) [Alexandre Dulaunoy]

  • [o365-exchange-techniques] Persistence kill-chain added (WiP) [Alexandre Dulaunoy]

  • [o365-exchange-techniques] Compromise row added (WiP) [Alexandre Dulaunoy]

  • [o365-exchange-techniques] [WiP] based on John Lambert matrix techniques. [Alexandre Dulaunoy]

  • [malpedia] duplicates fixed. [Alexandre Dulaunoy]

  • [malpedia] jq all the things. [Alexandre Dulaunoy]

  • [malpedia] updated to the latest version. [Rintaro KOIKE]

  • [th...

Read more