MISP galaxy v2.4.142 released (to be inline with MISP release)

v2.4.142 (2021-04-26)

New

• [att&ck] support for subtechniques. [Christophe Vandeplas]

• [dev] fix empty strings, lists. [VVX7]

• [dev] add ASPI's China Defence University Tracker. [VVX7]

  Thanks to Cormac Doherty for writing the web scraper! To update the galaxy run the included gen_defence_university.py script.

  "The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre.

  It includes entries on nearly 100 civilian universities, 50 People’s Liberation Army institutions, China’s nuclear weapons program, three Ministry of State Security institutions, four Ministry of Public Security universities, and 12 state-owned defence industry conglomerates.

  The Tracker is a tool to inform universities, governments and scholars as they engage with the entities from the People’s Republic of China. It aims to build understanding of the expansion of military-civil fusion—the Chinese government’s policy of integrating military and civilian efforts—into the education sector.

  The Tracker should be used to inform due diligence of Chinese institutions. However, the fact that an institution is not included here does not indicate that it should not raise risks or is not involved in defence research. Similarly, entries in the database may not reflect the full range and nature of an institution’s defence and security links." - ASPI (https://unitracker.aspi.org.au/about/)

• Added Bhadra framework for mobile attacks. [iglocska]

  • based on the paper published here: https://arxiv.org/pdf/2005.05110.pdf
  • thanks to the ATT&CK EU community conference speakers highlighting this framework!

• [country] galaxy added. [iglocska]

• [galaxy] AMITT (Adversarial Misinformation and Influence Tactics and Techniques) framework for describing disinformation incidents. AMITT is part of misinfosec - work on adapting information security practices to help track and counter misinformation - and is designed as far as possible to fit existing infosec practices and tools. [VVX7]

• Added draft of the election guildelines galaxy. [mokaddem]

• Add entries from Bambenek Consulting. [Raphaël Vinot]

Changes

• [ransomware] duplicate removed. [Alexandre Dulaunoy]

• [ransomware] duplicate removed. [Alexandre Dulaunoy]

• [ransomware] duplicates removed. [Alexandre Dulaunoy]

• [ransomware] Flyper removed. [Alexandre Dulaunoy]

• [ransomware] first duplicate removed. [Alexandre Dulaunoy]

• [ransomware] remove duplicate "File-Locker" [Alexandre Dulaunoy]

• [malpedia] jq all the file and removed ref duplicates. [Alexandre Dulaunoy]

• [clusters] fixing broken UUID fix #628. [Alexandre Dulaunoy]

• [ransomware] fix the broken UUID fix #628. [Alexandre Dulaunoy]

• [microsoft activity group] HAFNIUM added. [Alexandre Dulaunoy]

• [tool] SUNSPOT added. [Alexandre Dulaunoy]

• [rsit] rsit as galaxy name. [Alexandre Dulaunoy]

• [threat-actor] UNC2452/DarkHalo added - ref. #614. [Alexandre Dulaunoy]

• [ransomware] Babuk Ransomware added. [Alexandre Dulaunoy]

• [ransomware] RegretLocker added. [Alexandre Dulaunoy]

• Fix gh actions. [Raphaël Vinot]

• Add PR to GH actions. [Raphaël Vinot]

• [doc] Travis is dead, GH Action is alive. [Alexandre Dulaunoy]

• [att&ck] update to latest MITRE ATT&CK version. [Christophe Vandeplas]

• [cryptominer] updated. [Alexandre Dulaunoy]

• [rename] tea matrix. [Alexandre Dulaunoy]

• [tea] matrix updated to include brewing time and the milk attack technique. [Alexandre Dulaunoy]

• [tea] first version. [Alexandre Dulaunoy]

• [att&ck] no tag for subtechnique. [Christophe Vandeplas]

• [botnet] Katura mess added. [Alexandre Dulaunoy]

• [galaxy] fix the name to China Defence Universities Tracker. [Alexandre Dulaunoy]

• [dev] jq. [VVX7]

• [dev] gen_defence_university.py no longer outputs empty strings, lists. [VVX7]

• [threat-actor] remove duplicate references. [Alexandre Dulaunoy]

• [threat-actor] fix #561 by using new meta to classify as a campaign only. [Alexandre Dulaunoy]

  Based on #469

  There is an old and persistence issue in attribution world and basically no-one really agrees on this. So we decided to start a specific metadata threat-actor-classification on the threat-actor to define the various types per cluster entry:

  • operation:
    • A military operation is the coordinated military actions of a state, or a non-state actor, in response to a developing situation. These actions are designed as a military plan to resolve the situation in the state or actor's favor. Operations may be of a combat or non-combat nature and may be referred to by a code name for the purpose of national security. Military operations are often known for their more generally accepted common usage names than their actual operational objectives. from Wikipedia
    • In the context of MISP threat-actor name, it's a single specific operation.
  • campaign:
    • The term military campaign applies to large scale, long duration, significant military strategy plans incorporating a series of inter-related military operations or battles forming a distinct part of a larger conflict often called a war. The term derives from the plain of Campania, a place of annual wartime operations by the armies of the Roman Republic. from Wikipedia
    • In the context of MISP threat-actor-name, it's long-term activity which might be composed of one or more operations.
  • threat-actor
    • In the context of MISP threat-actor-name, it's an agreed name by a set of organisations.
  • activity group
    • In the context of MISP threat-actor-name, it's a group defined by its set of common techniques or activities.
  • unknown
    • In the context of MISP threat-actor-name, it's still not clear if it's an operation, campaign, threat-actor or activity group

  The meta field is an array to allow specific cluster of threat-actor to show the current disagreement between different organisations about the type (threat actor, activity group, campaign and operation).

• Bump travis. [Raphaël Vinot]

• [jq] all the things. [Alexandre Dulaunoy]

• [preventive-measure] packet filtering added. [Alexandre Dulaunoy]

• [threat-actor] remove the non-unique elements. [Alexandre Dulaunoy]

• [ta] fix the JSON. [Alexandre Dulaunoy]

• [jq] JSON fixed. [Alexandre Dulaunoy]

• [json] add missing comma. [Alexandre Dulaunoy]

• [country] jq all. [Alexandre Dulaunoy]

• [malpedia] fixes. [Alexandre Dulaunoy]

• [threat-actor] JSON fixed. [Alexandre Dulaunoy]

• [travis] pip3. [Alexandre Dulaunoy]

• [ransomware] Nodera ransomware added. [Alexandre Dulaunoy]

• [threat-actor] typo fixed. [Alexandre Dulaunoy]

• [threat-actor] format fixed. [Alexandre Dulaunoy]

• [threat-actor] fix order. [Alexandre Dulaunoy]

• [threat-actor] Budminer APT added based on document from "Soesanto, Stefan" [Alexandre Dulaunoy]

• [threat-actor] SideWinder APT group added. [Alexandre Dulaunoy]

• [threat-actor] jq. [Alexandre Dulaunoy]

• [dark-pattern] namespace: misp. [Jean-Louis Huynen]

• [ransomware] jq ;-) [Alexandre Dulaunoy]

• [clean-up] jq all the things. [Alexandre Dulaunoy]

• [threat-actor] Lucky Mouse synonym added. [Alexandre Dulaunoy]

• [threat-actor] Calypso group added. [Alexandre Dulaunoy]

  Ref: https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf
  MISP UUID: 5ca4718b-7f38-4822-83b7-0a1a0a00b412

• [threat-actor] threat-actor-classification updated. [Alexandre Dulaunoy]

• [threat-actor] jq is jq. [Alexandre Dulaunoy]

• [threat-actor] Operation WizardOpium added. [Alexandre Dulaunoy]

  ref: https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/

• [attack] update to latest ATT&CK data. [Christophe Vandeplas]

• [attck4fraud] jq all the things. [Alexandre Dulaunoy]

• [attck4fraud] updates based on issue #466. [Alexandre Dulaunoy]

• [galaxy] added AMITT galaxy/cluster generator script. [VVX7]

• [galaxy] version number to int. [VVX7]

• [misp-galaxy] jq all the things. [Alexandre Dulaunoy]

• [tool] COMPfun - Reductor added. [Alexandre Dulaunoy]

• [threat-actor] new LookBack (Malware?Campaign?TA?) [Alexandre Dulaunoy]

• [threat-actor] Evil Eye and POISON CARP. [Alexandre Dulaunoy]

• [threat-actor] add machete-apt synonyms as reported in #445. [Alexandre Dulaunoy]

• [threat-actor] jq all. [Alexandre Dulaunoy]

• [threat-actor] LYCEUM added - 443 #fixed. [Alexandre Dulaunoy]

• [threat-actor] rollback as discussed by chat with Andras until version 2.0. [Alexandre Dulaunoy]

• [att&ck] July ATT&CK release included in MISP galaxy. [Alexandre Dulaunoy]

• [threat-actor] version updated. [Alexandre Dulaunoy]

• [threat-actor] duplicated refs removed. [Alexandre Dulaunoy]

• [threat-actor] synonyms fixed. [Alexandre Dulaunoy]

• [threat-actor] jq everything. [Alexandre Dulaunoy]

• [branded_vulnerability] version updated. [Alexandre Dulaunoy]

• Add PyMISPGalaxies test. [Raphaël Vinot]

• [attack-pattern] Sync kill-chain with data from MITRE. [mokaddem]

• [o365-exchange-techniques] Actions on Intent added (finalized) [Alexandre Dulaunoy]

• [o365-exchange-techniques] Expansion added (WiP) [Alexandre Dulaunoy]

• [o365-exchange-techniques] Persistence kill-chain added (WiP) [Alexandre Dulaunoy]

• [o365-exchange-techniques] Compromise row added (WiP) [Alexandre Dulaunoy]

• [o365-exchange-techniques] [WiP] based on John Lambert matrix techniques. [Alexandre Dulaunoy]

• [malpedia] duplicates fixed. [Alexandre Dulaunoy]

• [malpedia] jq all the things. [Alexandre Dulaunoy]

• [malpedia] updated to the latest version. [Rintaro KOIKE]

• [th...