The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Phishing with Chatbots

May 24, 2022

Phishing with Chatbots

Industry: N/A | Level: Strategic | Source: BleepingComputer

In the latest efforts to improve the authenticity of phishing scams, attackers are incorporating chatbots to aid with credential theft. Observed by Trustwave and BleepingComputer, phishing emails using DHL shipping themes containing a weblink to a phishing URL are being used. Once the victim opens a web link, a page to a webchat opens with a scripted conversation attempting to add legitimacy by posting a photo of the alleged package claiming that due to a damaged label the parcel could not be delivered. This creative setup is designed to coerce the victim into releasing personal and payment information under the guise they are agreeing to re-process the package. The victim would provide shipping information for name, address, and phone number as well as payment details for the cost of shipping. The payment page even requests a one-time-passcode to provide an extra layer of legitimacy.

Cryware

May 24, 2022

Cryware

Industry: N/A | Level: Strategic | Source: Microsoft

Microsoft’s latest research investigates the rise of Cryware targeting hot wallets (aka non-custodial cryptocurrency wallets). Cryware takes advantage of the accessibility of data stored locally on a user’s device to initiate information theft and conduct crypto transactions. An attacker’s objectives are aimed to obtain data associated with the hot wallet including private keys, seed phrases, and wallet addresses. With the information obtained a crypto transaction can be initiated and using the irreversible nature of blockchain transactions, and the victim is unable to recover their funds. The transaction can also be conducted without victim consent. Given the data strings used for wallet data (private key, seed phrase, and wallet address), attackers can craft regular expressions (regexes) to locate the information using a variety of techniques including, memory dumping, keylogging, exfiltrating the wallet’s application storage files, and clipping and switching. The clipping and switching technique involves “a Cryware monitors the contents of a user’s clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address. If the target user pastes or uses CTRL + V into an application window, the Cryware replaces the object in the clipboard with the attacker’s address.”

iPhone Chip Low-Power Mode (LPM) Security Issue

May 24, 2022

iPhone Chip Low-Power Mode (LPM) Security Issue

Industry: N/A | Level: Strategic | Source: Ars Technica

A security issue has been identified in Apple’s iPhone chips. When the device is powered off the iPhone’s Bluetooth chip runs in Low-Power Mode (LPM), which is different from the “Lower Power Mode” a running device used to conserve battery. The security risk was discovered by researchers at the Germany’s Technical University of Darmstadt and explained “It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. hips responsible for near-field communication, ultra-wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.” Exploits researched utilized a jailbroken iPhone, limiting some real-world applicability, however the risk did remain with attackers capable of exploiting vulnerable devices and launching firmware. The security risk is not easily solvable “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.” Whilst the researchers have presented their findings to Apple, no comment or follow-up has been provided.

Chaos Ransomware Aligns with Russia

May 24, 2022

Chaos Ransomware Aligns with Russia

Industry: N/A | Level: Strategic | Source: Fortinet

Amongst notable ransomware groups taking sides with Russia in the Ukraine conflict, Chaos appears to have joined the list as identified by Fortinet. The indication is based on the display message Chaos leaves when encryption has completed, speaking negatively of the Ukraine government. The arrival vector was not determined however, is likely to have come from an email or user browsing a forum post. The malware used by Chaos appears to be new, having compiled data of May 16th, 2022. The variant investigated by Fortinet is identified as a potential file destroyer as the attackers did provide options for recovery to the affected files and have deleted shadow copies from impacted workstations.

Twisted Panda Campaign Targets Russian Defense Institutions

May 24, 2022

Twisted Panda Campaign Targets Russian Defense Institutions

Industry: N/A | Level: Tactical | Source: CheckPoint

An espionage campaign attributed to Chinese APT groups, APT10 (aka. Stone Panda) and Mustang Panda has been investigated by CheckPoint to be targeting Russian defense entities since June 2021 with recent activity observed in April 2022. The campaign is named, Twisted Panda given the attributed threat actors involved. The targeted Russian entities are those part of the state’s owned defense conglomerate, Rostec Corporation specializing in radio-electronics along with research, design, and manufacturing of warfare systems. Phishing emails containing malicious documents are distributed for the campaign, using themes that are related to events associated with the Russia and Ukraine conflict. The malicious document from the email contains an external template (.DOTM file) and with macro code downloads two DLL files and an INIT file. The dropped DLL files run shellcode from the INIT file to set persistence with a scheduled task. The infection leads to the SPINNER backdoor, created from a remote thread in MSIEXEC. The backdoor has capabilities to collect system information, exfiltrate files, download additional payloads and run OS commands.

Anvilogic Scenario:

  • Twisted Panda Campaign & SPINNER Backdoor

Anvilogic Use Cases:

  • Malicious Document Execution
  • Suspicious File written to Disk
  • Create/Modify Schtasks
  • Msiexec Abuse
  • Rare Remote Thread
  • New AutoRun Registry Key
  • Common Reconnaissance Commands

Unraveling Wizard Spider’s Operations

May 24, 2022

Unraveling Wizard Spider’s Operations

Industry: N/A | Level: Tactical | Source: Hacker News

Intelligence collected from Prodraft revealed the nuances of the cybercriminal group, Wizard Spider’s organizational structure, and goals. The group’s financial successes provides funding to advance their research and development plans, maintaining a effective toolset is a priority for the group. A hash cracking system was discovered by the team capable of unraveling “LM:NTLM hashes, cached domain credentials, Kerberos 5 TGS-REP/AS-REP tickets, KeePass files, MS Office 2013 files, and other types of common hashes.” Additionally, a cold-calling system used to pressure non-responsive victims into complying with the group’s ransom was reviewed. Wizard Spider’s primary method of initial access comes from distributing spam emails containing Qakbot malware or proxy malware such as SystemBC. Additionally, the group is found to be leveraging an exploit kit incorporating the Log4Shell vulnerability. Once the network has been infiltrated, the threat group conducts reconnaissance to identify high-value targets. Cobalt Strike is deployed to assist with lateral movement and the group prioritizes obtaining domain admin privileges to be able to deploy Conti ransomware. Various tools are identified to be used by Wizard Spider including numerous PowerShell scripts, Rubeus, SecretsDump, Adfind, Mimikatz, FileZilla, and Rclone.

Anvilogic Use Cases:

  • Executable Create Script Process
  • Rubeus Commands
  • Locate Credentials
  • Query Registry
  • NTDSUtil.exe execution
  • SecretsDump Credential Harvest
  • Adfind Execution
  • Adfind Commands
  • Mimikatz
  • Rclone Execution
  • Windows FTP Exfiltration

Conti & Its Subsidiary Group Blackbyte

May 24, 2022

Conti & Its Subsidiary Group Blackbyte

Industry: N/A | Level: Tactical | Source: AdvIntel

AdvIntel’s extensive research of the Conti ransomware group dives into its subsidiary group Blackbyte, which along with the data extortion group, Karakurt supports Conti’s operations. The relationship between Conti and Blackbyte was explored after reports of the NFL team San Francisco 49ers data breach on February 13th, 2022. Security news outlets pointed to Blackbyte as the perpetrator of the attack however, an investigation from AdvIntel identified the group was used “as a shell group to process the breach” with Conti as the true culprit of the attack. The breach of the 49ers’ network had begun on December 14th, 2021, with AdvIntel identifying a set of Cobalt Strike commands targeting the NFL team’s network. Identified from AdvIntel “the Conti team who began the operation against 49ers on December 14 were able to compromise the victim’s primary domain and get access to the local shares and core network segments for several departments, including the team’s finance and accounting sectors.” The Blackbyte-Conti alliance revealed a larger trend in the threat landscape of “sub-divisions,” groups created operating specifically in data exfiltration and doing so without the need for encryption. Conti has been identified by AdvIntel to also create alliances with other ransomware groups, including HelloKitty/FiveHands, Babuk, HiVE, BlackCat/ALPHV, and AvosLocker. Theorized for the future of ransomware groups, “As groups grow in size and scope, they will begin to spawn business derivatives to handle some of their smaller operations in return for assistance and resources. This, in turn, will allow those subgroups to grow independently of the larger group, before extenuating circumstances, such as sanctions, struggles for power, or impending dissolution of the parent collective eventually led them to split off and become their own threat entity.” Notable detection techniques for Blackbyte emphasized detections for Rclone, Cobalt Strike, Metasploit, and PowerShell commands.

Anvilogic Use Cases:

  • Rclone Execution
  • Cobalt Strike Beacon
  • Cobalt Strike style Shell invocation
  • Obfuscated Powershell Techniques
  • Encoded Powershell Command
  • Suspicious Executable by Powershell
  • Attrib.exe Metasploit File Dropper
  • PowerSploit Metasploit Payload

Cisco Talos & BlackByte Ransomware Group

May 24, 2022

Cisco Talos & BlackByte Ransomware Group

Industry: N/A | Level: Tactical | Source: Cisco Talos

Cisco Talos reports activity associated with the BlackByte ransomware group. The threat group has targeted victims worldwide including North America, Colombia, Netherlands, China, Mexico, and Vietnam. Initial access has typically come from exploiting vulnerable services from Microsoft Exchange, such as ProxyShell or SonicWall VPN. Cisco Talos documented an intrusion that had taken place in March 2022. The infection starts with a BAT script executing and installing AnyDesk. A few hours following, a new account is created for persistence, and once again the attackers lay dormant for a few hours until proceeding to tamper with system services, modifying the registry, and creating firewall rules to ultimately deploy the Blackbyte ransomware. The entire infection takes 17 hours to achieve encryption. Commonalities in attacks with Blackbyte have identified a preference for the use of AnyDesk software along with utilizing living-off-the-land binaries (LoLBins).

Anvilogic Scenario:

  • Blackbyte: BAT Script & New Acct to Attacker Objectives

Anvilogic Use Cases:

  • Potential ProxyShell
  • Executable Create Script Process
  • Create/Add Local/Domain User
  • Service Stop Commands
  • Suspicious Executable by Powershell
  • Create/Modify Schtasks
  • Inhibit System Recovery Commands
  • Registry key added with reg.exe
  • Windows Firewall Rule Creation
  • Executable Process from Suspicious Folder
  • System Shutdown or Reboot
  • Remote Admin Tools
  • Windows Defender Disabled Detection

IceApple Post-Exploitation Toolset

May 17, 2022

IceApple Post-Exploitation Toolset

Industry: Academic, Government, Technology | Level: Strategic | Source: CrowdStrike

An Internet Information Services (IIS) post-exploitation framework named IceApple, was discovered by the CrowdStrike Falcon OverWatch team in late 2021. IceApple has mainly been observed to be deployed on Microsoft Exchange servers, however the threat is applicable to any Internet Information Services (IIS) web application. Deployment of this toolset has been observed in multiple verticles for academics, government, and technology and in impacted organizations in “geographically distinct locations.” The framework works in-memory, identified with 18 modules at a minimum and likely in development. IceApple maintains a low forensic footprint likely to enable long-term espionage and given this style of operation could align with a Chinese state-sponsored actor. Usage of the tool, varied based on the threat actor’s progress in a victim’s network, as stated by CrowdStrike “IceApple was observed being rapidly deployed to multiple hosts to facilitate credential harvesting from local and remote host registries, credential logging on OWA servers, reconnaissance, and data exfiltration. OverWatch then observed adversaries returning to networks daily to continue their activity.” Whilst, maintaining a reliable foothold in the target’s environment, attackers would return 10 to 14 days later to ensure access is still available. Recommended actions to defend against IceApple is to ensure web applications are updated and patched.

Increased Threats to Managed Service Providers

May 17, 2022

Increased Threats to Managed Service Providers

Industry: Technology | Level: Strategic | Source: CISA

A warning was issued to managed service providers (MSPs) by Five Eyes, a collective intelligence alliance from the United States, United Kingdom, Australia, Canada, and New Zealand. As stated in the advisory, “Whether the customer’s network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.” The intelligence agencies have not provided any specific targets, only mentioning reports of an increase in cyber activity against MSPs. Recommendations provided by the agencies urge hardening defenses including reinforcing public-facing applications, enabling and improving logging, implementing MFA, segregating networks, utilizing the principle of least privilege, ensuring obsoleted accounts and systems are deprecated, updating systems, and creating regular backups of data.