The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Hacked Sites Spreads Fake “Capitulation” News

March 25, 2022

March 3rd, 2022: Hacked Sites Spreads Fake “Capitulation” News

Industry: Government | Level: Strategic | Source: Reuters

As reported by Reuters, Ukraine’s State Service of Special Communication and Information Protection (SSSCIP) has identified compromised government sites posting false information of surrender/”capitulation.” Compromised sites are identified and shared on the SSSCIP Ukraine Twitter with an example tweet posting an image of compromised sites with the following message tweeted “WARNING! ANOTHER FAKE! The enemy has broken into some sites of regional authorities and local governments and spreads through them lies about the alleged “capitulation and signing of a peace treaty with Russia.” It’s a FAKE!”

Telegram Fuels Cyber Communication

March 25, 2022

March 3rd, 2022: Telegram Fuels Cyber Communication

Industry: N/A | Level: Strategic | Source: Check Point

Research from Check Point has identified an increase in Telegram groups during the Russia and Ukraine conflict. Groups assembled, stand on both sides of the conflict with anti-Russian groups as well as mischievous users creating fraudulent Ukrainian support groups. Check Point’s research insight shares, “since the beginning of the war, we have seen tens of groups being created daily. Some groups boast over 250,000 users. CPR estimates that about 23% of the groups observed on Telegram attempt to unite hackers, IT professionals, and other IT “fans” to attack Russian targets in cyberspace. These groups are used to coordinate the attack, decide on targets and share results, even offering to help each other towards the goal.” From reports, hackers on both sides have leveraged DDoS attacks, with anti-Russian groups on Telegram observed to specifically call out particular Russian sites to DDoS.

MicroBackdoor Attacks Ukraine

March 25, 2022

March 9th, 2022: MicroBackdoor Attacks Ukraine

Industry: Government | Level: Tactical | Source: Portswigger

Ukraine’s Computer Emergency Response Team (CERT-UA) warns malware MicroBackdoor is targeting Ukrainian government agencies. The malware reported from The Daily Swig, is distributed in a phishing email containing a zip file with accompanying files that executes malicious code in VBScript. Intelligence from CERT-UA identified the malware was created in January 2022.

  • Anvilogic Scenario: MICROBACKDOOR Infection Flow
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Wscript/Cscript Execution

Anonymous Attacks Russian Government Sites

March 25, 2022

March 16th, 2022: Anonymous Attacks Russian Government Sites

Industry: Government | Level: Strategic | Source: HackRead

As the result of DDoS attacks, the Anonymous group appeared to have taken down multiple Russian government sites. Reported by HackRead, the impact sites are “Federal Security Service (aka FSB, the principal security agency of Russia), Stock Exchange, Analytical Center for the Government of the Russian Federation, and Ministry of Sport of the Russian Federation.” The Russian Stock Exchange’s website was identified to be offline when the article was published on March 15th, 2022, the attack spanned over seven hours with several targeted sites remaining inaccessible.

Ukraine Targeted with Fraudulent Translation Software

March 25, 2022

March 16th, 2022: Ukraine Targeted with Fraudulent Translation Software

Industry: N/A | Level: Tactical | Source: SentinelOne

SentinelOne identified threat actor group, SaintBear (aka UAC-0056, UNC2589, TA471) distributing fraudulent translation software to users in Ukraine to infect users with malware GrimPlant and GraphSteel. The fraudulent translation software is complied in python and has been identified as early as February 2022 in threat campaigns. When dropped on the victim’s host, the malware downloads additional .exe payloads, runs reconnaissance commands, establishes persistence and collects credentials.

  • Anvilogic Scenario: SaintBear – Fraudulent Software – Infection Flow
  • Anvilogic Use Cases:
    • Executable File Written to Disk
    • Common Reconnaissance Commands
    • Query Registry
    • New AutoRun Registry Key
    • Windows Credentials Editor

Threat Group, InvisiMole Striking Ukraine

March 25, 2022

March 21st, 2022: Threat Group, InvisiMole Striking Ukraine

Industry: Government, Military | Level: Tactical | Source: ZDNet

Ukraine’s Computer Emergency Response Team for Ukraine (CERT-UA) warns of attacks by the hacking group, InvisiMole; the group is alleged to have associated with the APT group, Gamaredon. The group is targeting industries that are “high-profile” in military and diplomatic affairs. Reported by ZDNet, the threat group is initiating phishing campaigns to distribute LoadEdge backdoors to Ukrainian organizations. The described attack chain, described by CERT-UA, involves “phishing emails being sent that have an attached archive, 501_25_103.zip, together with a shortcut (LNK) file. If opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy LoadEdge.” In addition, the activity following involves using DNS tunneling to deliver malicious payloads, create persistence through registry and data collection.

  • Anvilogic Use Cases:
    • Compressed File Execution
    • Modify Registry Key

White House Statement to Harden Cybersecurity

March 25, 2022

March 22nd, 2022: White House Statement to Harden Cybersecurity

Industry: Critical Infrastructure Security | Level: Strategic | Source: WhiteHouse.gov

United States President, Joe Biden, continues to emphasize the importance of active vigilance for cyber activity given the ongoing conflict between Russia and Ukraine. The warning is provided from a White House statement, “I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” Actions taken to secure cyber defenses have included the implementation of additional cybersecurity measures for the Federal Government and various critical infrastructure sectors. Follow alerts and guidance from agencies for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to best be kept organized and informed.

Miratorg Agribusiness Holding – Ransomware Attack

March 25, 2022

March 22nd, 2022: Miratorg Agribusiness Holding – Ransomware Attack

Industry: Producer & Supplier | Level: Strategic | Source: BleepingComputer

A ransomware attack using Windows BitLocker has hit Miratorg Agribusiness Holding, a meat supplier based in Moscow. The story reported by BleepingComputer believe the attack was conducted for “sabotage and not financial” with a focus of the attack against “VetIS, a state information system used by veterinary services and companies engaging in the field, making it likely a supply chain compromise.” Additionally, a machine translated statement from the company paints the attack as hostility from the West in regards to the Russia and Ukraine conflict “Probably, this incident is a manifestation of the informational and economic “total war” that the collective West unleashed against Russia. We are pushed to this assumption by the fact that during the entire existence of VetIS (more than 10 years) and tens of thousands of Russian and foreign software systems integrated with it, this has never happened.” Miratorg Agribusiness is working to restore business services.

DoubleZero Wiper

March 25, 2022

March 22nd, 2022: DoubleZero Wiper

Industry: N/A | Level: Strategic | Source: Symantec

Reporting for the latest wiper, DoubleZero continues to be limited. A brief analysis from Symantec identified the wiper to be written in .NET code that is obfuscated and “overwrites or uses API calls to zero out critical system files and registry keys.” The list of wipers observed now includes WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero.

Anonymous Hacker Group Potentially Hacks Nestlé

March 25, 2022

March 23rd, 2022: Anonymous Hacker Group Potentially Hacks Nestlé

Industry: Food & Beverage | Level: Strategic | Source: Fortune

On March 22nd, 2022, the Anonymous hacker group published on their Twitter profile a claimed hack of 10 GBs of data from Nestlé, a multinational food and drink corporation. A response of the data breach from Nestlé company, reported by Fortune, denies the hack stating the leaked data had been “accidentally” released by the company last month. A company excerpt states “[the data leak] it relates to a case from February this year, when some randomized and predominantly publicly available test data of a (business-to-business) nature was made accessible unintentionally online for a short period of time. We quickly investigated and no further action was deemed necessary.” The Anonymous group’s motivation for attacking Nestlé was due to the company’s ongoing operations in Russia, in continuing to provide services in the country which in response the company has opted to limit its consumers offerings.