AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
The Anvilogic Threat Reports
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.
We are committed to (read more…)
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.
- Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
- Strategic: General information security news, for awareness
About the Team
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.
Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:
- Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
- Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
- Reports Hot off the forge:
- Threat News Reports
- Trending Threat Reports
- Research Articles
If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at firstname.lastname@example.org.
Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.
If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: email@example.com
Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
March 3rd, 2022: Hacked Sites Spreads Fake “Capitulation” News
Industry: Government | Level: Strategic | Source: Reuters
As reported by Reuters, Ukraine’s State Service of Special Communication and Information Protection (SSSCIP) has identified compromised government sites posting false information of surrender/”capitulation.” Compromised sites are identified and shared on the SSSCIP Ukraine Twitter with an example tweet posting an image of compromised sites with the following message tweeted “WARNING! ANOTHER FAKE! The enemy has broken into some sites of regional authorities and local governments and spreads through them lies about the alleged “capitulation and signing of a peace treaty with Russia.” It’s a FAKE!”
March 3rd, 2022: Telegram Fuels Cyber Communication
Industry: N/A | Level: Strategic | Source: Check Point
Research from Check Point has identified an increase in Telegram groups during the Russia and Ukraine conflict. Groups assembled, stand on both sides of the conflict with anti-Russian groups as well as mischievous users creating fraudulent Ukrainian support groups. Check Point’s research insight shares, “since the beginning of the war, we have seen tens of groups being created daily. Some groups boast over 250,000 users. CPR estimates that about 23% of the groups observed on Telegram attempt to unite hackers, IT professionals, and other IT “fans” to attack Russian targets in cyberspace. These groups are used to coordinate the attack, decide on targets and share results, even offering to help each other towards the goal.” From reports, hackers on both sides have leveraged DDoS attacks, with anti-Russian groups on Telegram observed to specifically call out particular Russian sites to DDoS.
March 9th, 2022: MicroBackdoor Attacks Ukraine
Industry: Government | Level: Tactical | Source: Portswigger
Ukraine’s Computer Emergency Response Team (CERT-UA) warns malware MicroBackdoor is targeting Ukrainian government agencies. The malware reported from The Daily Swig, is distributed in a phishing email containing a zip file with accompanying files that executes malicious code in VBScript. Intelligence from CERT-UA identified the malware was created in January 2022.
March 16th, 2022: Anonymous Attacks Russian Government Sites
Industry: Government | Level: Strategic | Source: HackRead
As the result of DDoS attacks, the Anonymous group appeared to have taken down multiple Russian government sites. Reported by HackRead, the impact sites are “Federal Security Service (aka FSB, the principal security agency of Russia), Stock Exchange, Analytical Center for the Government of the Russian Federation, and Ministry of Sport of the Russian Federation.” The Russian Stock Exchange’s website was identified to be offline when the article was published on March 15th, 2022, the attack spanned over seven hours with several targeted sites remaining inaccessible.
March 16th, 2022: Ukraine Targeted with Fraudulent Translation Software
Industry: N/A | Level: Tactical | Source: SentinelOne
SentinelOne identified threat actor group, SaintBear (aka UAC-0056, UNC2589, TA471) distributing fraudulent translation software to users in Ukraine to infect users with malware GrimPlant and GraphSteel. The fraudulent translation software is complied in python and has been identified as early as February 2022 in threat campaigns. When dropped on the victim’s host, the malware downloads additional .exe payloads, runs reconnaissance commands, establishes persistence and collects credentials.
- Anvilogic Scenario: SaintBear – Fraudulent Software – Infection Flow
- Anvilogic Use Cases:
- Executable File Written to Disk
- Common Reconnaissance Commands
- Query Registry
- New AutoRun Registry Key
- Windows Credentials Editor
March 21st, 2022: Threat Group, InvisiMole Striking Ukraine
Industry: Government, Military | Level: Tactical | Source: ZDNet
Ukraine’s Computer Emergency Response Team for Ukraine (CERT-UA) warns of attacks by the hacking group, InvisiMole; the group is alleged to have associated with the APT group, Gamaredon. The group is targeting industries that are “high-profile” in military and diplomatic affairs. Reported by ZDNet, the threat group is initiating phishing campaigns to distribute LoadEdge backdoors to Ukrainian organizations. The described attack chain, described by CERT-UA, involves “phishing emails being sent that have an attached archive, 501_25_103.zip, together with a shortcut (LNK) file. If opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy LoadEdge.” In addition, the activity following involves using DNS tunneling to deliver malicious payloads, create persistence through registry and data collection.
- Anvilogic Use Cases:
- Compressed File Execution
- Modify Registry Key
March 22nd, 2022: White House Statement to Harden Cybersecurity
Industry: Critical Infrastructure Security | Level: Strategic | Source: WhiteHouse.gov
United States President, Joe Biden, continues to emphasize the importance of active vigilance for cyber activity given the ongoing conflict between Russia and Ukraine. The warning is provided from a White House statement, “I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” Actions taken to secure cyber defenses have included the implementation of additional cybersecurity measures for the Federal Government and various critical infrastructure sectors. Follow alerts and guidance from agencies for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to best be kept organized and informed.
March 22nd, 2022: Miratorg Agribusiness Holding – Ransomware Attack
Industry: Producer & Supplier | Level: Strategic | Source: BleepingComputer
A ransomware attack using Windows BitLocker has hit Miratorg Agribusiness Holding, a meat supplier based in Moscow. The story reported by BleepingComputer believe the attack was conducted for “sabotage and not financial” with a focus of the attack against “VetIS, a state information system used by veterinary services and companies engaging in the field, making it likely a supply chain compromise.” Additionally, a machine translated statement from the company paints the attack as hostility from the West in regards to the Russia and Ukraine conflict “Probably, this incident is a manifestation of the informational and economic “total war” that the collective West unleashed against Russia. We are pushed to this assumption by the fact that during the entire existence of VetIS (more than 10 years) and tens of thousands of Russian and foreign software systems integrated with it, this has never happened.” Miratorg Agribusiness is working to restore business services.
March 22nd, 2022: DoubleZero Wiper
Industry: N/A | Level: Strategic | Source: Symantec
Reporting for the latest wiper, DoubleZero continues to be limited. A brief analysis from Symantec identified the wiper to be written in .NET code that is obfuscated and “overwrites or uses API calls to zero out critical system files and registry keys.” The list of wipers observed now includes WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero.
March 23rd, 2022: Anonymous Hacker Group Potentially Hacks Nestlé
Industry: Food & Beverage | Level: Strategic | Source: Fortune
On March 22nd, 2022, the Anonymous hacker group published on their Twitter profile a claimed hack of 10 GBs of data from Nestlé, a multinational food and drink corporation. A response of the data breach from Nestlé company, reported by Fortune, denies the hack stating the leaked data had been “accidentally” released by the company last month. A company excerpt states “[the data leak] it relates to a case from February this year, when some randomized and predominantly publicly available test data of a (business-to-business) nature was made accessible unintentionally online for a short period of time. We quickly investigated and no further action was deemed necessary.” The Anonymous group’s motivation for attacking Nestlé was due to the company’s ongoing operations in Russia, in continuing to provide services in the country which in response the company has opted to limit its consumers offerings.