test_scratch
/
cti-ATT-CK-v13.1
/enterprise-attack
/intrusion-set
/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json
{ | |
"type": "bundle", | |
"id": "bundle--36b989bc-9e59-45d2-8998-64a5ba4da37f", | |
"spec_version": "2.0", | |
"objects": [ | |
{ | |
"modified": "2023-03-22T03:51:04.185Z", | |
"name": "FIN7", | |
"description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", | |
"aliases": [ | |
"FIN7", | |
"GOLD NIAGARA", | |
"ITG14", | |
"Carbon Spider" | |
], | |
"x_mitre_deprecated": false, | |
"x_mitre_version": "2.2", | |
"x_mitre_contributors": [ | |
"Edward Millington" | |
], | |
"type": "intrusion-set", | |
"id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", | |
"created": "2017-05-31T21:32:09.460Z", | |
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"revoked": false, | |
"external_references": [ | |
{ | |
"source_name": "mitre-attack", | |
"url": "https://attack.mitre.org/groups/G0046", | |
"external_id": "G0046" | |
}, | |
{ | |
"source_name": "Carbon Spider", | |
"description": "(Citation: CrowdStrike Carbon Spider August 2021)" | |
}, | |
{ | |
"source_name": "FIN7", | |
"description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" | |
}, | |
{ | |
"source_name": "GOLD NIAGARA", | |
"description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" | |
}, | |
{ | |
"source_name": "FireEye CARBANAK June 2017", | |
"description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", | |
"url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" | |
}, | |
{ | |
"source_name": "FireEye FIN7 April 2017", | |
"description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", | |
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" | |
}, | |
{ | |
"source_name": "FireEye FIN7 Aug 2018", | |
"description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", | |
"url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" | |
}, | |
{ | |
"source_name": "Secureworks GOLD NIAGARA Threat Profile", | |
"description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", | |
"url": "https://www.secureworks.com/research/threat-profiles/gold-niagara" | |
}, | |
{ | |
"source_name": "FireEye FIN7 Shim Databases", | |
"description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", | |
"url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" | |
}, | |
{ | |
"source_name": "Morphisec FIN7 June 2017", | |
"description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", | |
"url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" | |
}, | |
{ | |
"source_name": "ITG14", | |
"description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" | |
}, | |
{ | |
"source_name": "CrowdStrike Carbon Spider August 2021", | |
"description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", | |
"url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" | |
}, | |
{ | |
"source_name": "FireEye FIN7 March 2017", | |
"description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", | |
"url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" | |
}, | |
{ | |
"source_name": "IBM Ransomware Trends September 2020", | |
"description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", | |
"url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" | |
} | |
], | |
"object_marking_refs": [ | |
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
], | |
"x_mitre_domains": [ | |
"enterprise-attack", | |
"ics-attack" | |
], | |
"x_mitre_attack_spec_version": "3.1.0", | |
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" | |
} | |
] | |
} |