Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Cinnamon Tempest
Реестр СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Cinnamon Tempest
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Cinnamon Tempest

Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)
ID: G1021
Associated Groups: BRONZE STARLIGHT, DEV-0401, Emperor Dragonfly
Created: 06 Dec 2023
Last Modified: 04 Apr 2024

Associated Group Descriptions
Name Description
BRONZE STARLIGHT (Citation: Dell SecureWorks BRONZE STARLIGHT Profile)
DEV-0401 (Citation: Microsoft Threat Actor Naming July 2023)
Emperor Dragonfly (Citation: Sygnia Emperor Dragonfly October 2022)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Cinnamon Tempest has used PowerShell to communicate with C2, download files, and execute reconnaissance commands.(Citation: Sygnia Emperor Dragonfly October 2022)
.003 Command and Scripting Interpreter: Windows Command Shell

Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.(Citation: Microsoft Ransomware as a Service)

.006 Command and Scripting Interpreter: Python

Cinnamon Tempest has used a customized version of the Impacket wmiexec.py module to create renamed output files.(Citation: Microsoft Ransomware as a Service)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Cinnamon Tempest has created system services to establish persistence for deployed tooling.(Citation: Sygnia Emperor Dragonfly October 2022)
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Cinnamon Tempest has used Group Policy to deploy batch scripts for ransomware deployment.(Citation: Microsoft Ransomware as a Service)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Cinnamon Tempest has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS.(Citation: Sygnia Emperor Dragonfly October 2022)
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons.(Citation: Microsoft Ransomware as a Service)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

.002 Hijack Execution Flow: DLL Side-Loading

Cinnamon Tempest has abused legitimate executables to side-load weaponized DLLs.(Citation: Sygnia Emperor Dragonfly October 2022)

Enterprise T1588 .002 Obtain Capabilities: Tool

Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.(Citation: Sygnia Emperor Dragonfly October 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Cinnamon Tempest has used SMBexec for lateral movement.(Citation: Sygnia Emperor Dragonfly October 2022)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

Cinnamon Tempest has obtained highly privileged credentials such as domain administrator in order to deploy malware.(Citation: Microsoft Ransomware as a Service)

Software
ID Name References Techniques
S0633 Sliver (Citation: Bishop Fox Sliver Framework August 2019) (Citation: Microsoft Ransomware as a Service) Process Injection, File and Directory Discovery, Steganography, Access Token Manipulation, DNS, Encrypted/Encoded File, Asymmetric Cryptography, System Network Configuration Discovery, Screen Capture, Web Protocols, Ingress Tool Transfer, Symmetric Cryptography, Exfiltration Over C2 Channel, Standard Encoding, System Network Connections Discovery
S0357 Impacket (Citation: Impacket Tools) (Citation: Microsoft Ransomware as a Service) (Citation: Sygnia Emperor Dragonfly October 2022) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S1097 HUI Loader (Citation: Dell SecureWorks BRONZE STARLIGHT Profile) (Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022) Indicator Blocking, Deobfuscate/Decode Files or Information, DLL Search Order Hijacking
S1040 Rclone (Citation: DarkSide Ransomware Gang) (Citation: Detecting Rclone) (Citation: DFIR Conti Bazar Nov 2021) (Citation: Rclone Wars) (Citation: Rclone) (Citation: Sygnia Emperor Dragonfly October 2022) Exfiltration to Cloud Storage, File and Directory Discovery, Data Transfer Size Limits, Archive via Utility, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Unencrypted Non-C2 Protocol
S1096 Cheerscrypt (Citation: Sygnia Emperor Dragonfly October 2022) (Citation: Trend Micro Cheerscrypt May 2022) Service Stop, Data Encrypted for Impact, File and Directory Discovery
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell SecureWorks BRONZE STARLIGHT Profile) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0664 Pandora (Citation: Dell SecureWorks BRONZE STARLIGHT Profile) (Citation: Microsoft Ransomware as a Service) (Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022) (Citation: Sygnia Emperor Dragonfly October 2022) (Citation: Trend Micro Iron Tiger April 2021) Ingress Tool Transfer, DLL Side-Loading, Symmetric Cryptography, Exploitation for Privilege Escalation, Windows Service, Web Protocols, Process Discovery, Traffic Signaling, Obfuscated Files or Information, Service Execution, Code Signing Policy Modification, Process Injection, Modify Registry
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Dell SecureWorks BRONZE STARLIGHT Profile) (Citation: Microsoft Ransomware as a Service) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information

References

  1. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  3. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
  4. SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.
  5. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.
  6. Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.
  7. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.