Group-IB

• Incoming feed - Group-IB APT Threat
• Incoming feed - Group-IB Brand Abuse Phishing Kit
• Incoming feed - Group-IB Compromised Data Accounts
• Incoming feed - Group-IB Compromised Data Cards
• Incoming feed - Group-IB Human Intelligence Threat
• Incoming feed - Group-IB Malware C2
• Incoming feed - Group-IB Attacks Phishing
• Incoming feed - Group-IB Phishing Brand Abuse
• Incoming feed - Group-IB Attacks Phishing Kit
• Incoming feed - Group-IB Suspicious IP Socks Proxy

# Release History


## 2.14.11, 3.1.7, 3.2.1, 3.3.1

Release date: 20 March 2023

**Fixed:**
* General improvements with how we download data for Socks Proxy and Accounts Data feeds
* Issue with unexpected change in Fixed Attacks Phishing Kit data


## 3.0.7, 3.1.6, 3.2.1

Release date: 5 December 2023

**Added:**
* Now supports Group-IB Compromised Mule feed
* Now supports Malware and Location entities

**Fixed:**
* Use API routes prescribed by Group-IB to prevent occurrences of HTTP 404, 403, 502 errors
* Group-IB Human Intelligence Threat and Group-IB APT Threat feeds are now more reliable.
* Fix a validation issue
* Group-IB Malware C2 and Group-IB Compromised Accounts now correctly updates existing entities on each run.
* Group-IB Malware C2 and Group-IB Compromised Accounts now handles deduplication of entities correctly.
* General improvements with how we deduplicate entities.


## 3.0.6

Release date: 24 October 2023

**Added:**
* Now provides Group-IB Attacks DDoS Feed

## 2.14.9, 3.0.5, 3.1.4

Release date: 10 October 2023

**Changed:**

Multiple incoming feeds updated.

* Removed the following feeds.
  Group-IB has discontinued the endpoints
  these feeds require:

* Group-IB Phishing Brand Abuse
  * `/api/v2/bp/phishing`
* Group-IB Brand Abuse Phishing Kit
  * `/api/v2/bp/phishing_kit`

* Updated endpoints for the following feeds to address issue where feed cannot
  find new packages to download, and improve data mapping:

  * Group-IB Attacks Phishing
    * Old: `/api/v2/attacks/phishing`
    * Now: `/api/v2/attacks/phishing_group`
  * Group-IB Compromised Data Accounts
    * Old: `/api/v2/compromised/account`
    * Now: `/api/v2/compromised/account_group`
  * Group-IB Compromised Data Cards Feed
    * Old: `/api/v2/compromised/card`
    * Now: `/api/v2/compromised/masked_card`
 

## 2.14.8, 3.0.4, 3.1.3

Release date: 25 September 2023

**Changed:**

- This release updates the Group-IB Human Intelligence Threat and Group-IB APT Threat incoming feeds.
- For both feeds:
  - `md5`, `sha256`, `sha512` hashes from Group-IB
    are now included in description field of produced entities.
  - `sha224` now ingested as `hash-sha224` observables.
  - Now ingests contents of `malwares` field and:
    - Creates TTP entities from `malware`
    - TTP entities created from contents of `targetedCompany` now contain a targeted victim characteristic.
    - Creates indicator entities containing YARA rules from `yara`.
    - Creates indicator entities containing SNORT rules from `ioc`.
  - Creates exploit target entities from contents of `cveList` and CVEs found in `threat_actors`.
  - Creates threat actor entities from the contents of `threat_actors`.
  - Resulting report entities have been updated:
    - More tags.
    - No longer prefixed with `Report: `
  - Related indicator entities now:
    - Can include first observed timestamp.
    - Now includes SSL cert hashes in entity description.


- Updated Group-IB Human Intelligence Threat incoming feed. Now:
  - Retrieves connected threat actor data from `/api/v2/hi/threat_actor/`.
  - Fetches additional reports and exploit targets from `/api/v2/hi/threat/` and `/api/v2/osi/vulnerability/`.
  - Enriches resulting reports with data from `/api/v2/malware/malware`.


- Updated Group-IB APT Threat incoming feed. Now:
  - Retrieves connector threat actor data from `/api/v2/apt/threat_actor/`.
  - Fetches additional reports and exploit targets from `/api/v2/apt/threat/` and `/api/v2/osi/vulnerability/`.
  - Enriches resulting reports with data from `/api/v2/malware/malware`.  


## 2.14.7, 3.0.3, 3.1.2

Release date: 31 August 2023

**Added:**

- Now supports ingesting SHA-224 hashes as observables.
- Now supports ingesting report intents from Group-IB.
- Threat actor entities are created with data fetched from the APT or the Human Intelligence endpoints

**Changed:**

- Group-IB Threat APT incoming feed now includes the following data in ingested reports:
  - Detected file hashes.
  - Report intents.
  - Associated malware.
  - makes an additional request to `/api/v2/apt/threat_actor/`
    and ingest associated threat actors.
- Group-IB Human Intelligence Threat incoming feed now makes an additional request to
`/api/v2/hi/threat_actor/` to retrieve and ingest associated threat actors.
- Associated threat actors pulled in by Threat APT and Human Intelligence Threat incoming feeds.
- Now, only truthy `isAPT` values in Group-IB data are now ingested only as `isAPT` tags,
  instead of ingesting variants like `isAPT - True` or `isAPT - False`.
- Ingested entity titles are no longer prefixed with "Report:" or "Threat Actor:".
- Ambiguous tags ingested from reliability values are now clearer, prefixed with 'Reliability'.
- Removed Group-IB API URL from reference sections.
- Now, Threat reports includes additional fields:
  - Short descriptions
  - Intents
  - Following tags are added:
    - Malware categories
    - Item reliability

**Fixed:**

- Fixes issue where ingested MITRE ATT&CK IDs could have duplicates.

## 3.1.1, 3.0.2, 2.14.6
Release date: 11 Jul 2023

**Fixed:**

- Issue where Group-IB sectors were missing from tags in entities. 


## 3.0.1, 2.15.2, 2.14.5

Release date: 07 June 2023

**Fixed:**
- Added timestamp to all entities
- Country extracts are included in Threat reports
- All targeted companies are added as TTP entities
- Image files are no longer created as extracts


## 3.0.0, 2.15.1, 2.14.4

Release date: 26 Apr 2023

**New Features**
* Improved pagination fields to update timestamps

**Fixed:**
* Updated base URL and enpoints

## 2.14.3, 2.13.3

Release date: 24 Feb 2023

**Fixed:**

- Issue where APT Threat feed would not ingest MITRE ATT&CK indicators.


## 2.14.2, 2.13.2

Release date: 24 Jan 2022

**Fixed:**

- Issue where the Group-IB Attack Phishing kit and Malware C2 feeds
would attempt to download and ingest the same package multiple times.

## 2.14.1, 2.13.1

Release date: 29 Nov 2022

**Fixed:**

- Issue where the Group-IB Suspicious IP Socks Proxy feed would fail
if the incoming data does not contain a reference to the Group-IB portal.


## Initial release

Release date: 11 August, 2020

**Features:**

* Now provides the Group-IB Compromised Data Accounts incoming feed.
* Now provides the Group-IB Compromised Data Cards Feed incoming feed.
* Now provides the Group-IB Human Intelligence Threat incoming feed.
* Now provides the Group-IB APT Threat incoming feed.
* Now provides the Group-IB Attacks Phishing incoming feed.
* Now provides the Group-IB Attack Phishing Kit incoming feed.
* Now provides the Group-IB Phishing Brand Abuse incoming feed.
* Now provides the Group-IB Brand Abuse Phishing Kit incoming feed.
* Now provides the Group-IB Suspicious IP Socks Proxy incoming feed.
* Now provides the Group-IB Malware C2 incoming feed.