The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Anonymous Group Hacks Federal Russian Agency

March 21, 2022

March 14th, 2022: Anonymous Group Hacks Federal Russian Agency

Industry: Government | Level: Strategic | Source: CySecurity

The Anonymous Group supporting Ukraine in the Russian conflict has compromised, Roskomnadzor the Russian media censoring agency. The hack, reported by HackRead, identified an Anonymous affiliate sharing approximately 820Gb of data from Roskomnadzor that has been shared on the website, Distributed Denial of Secrets (aka DDoSecrets). Since the Russian invasion has started, Russia has censored information regarding the attack with Roskomnadzor playing a vital role, as stated by HackRead, “the Russian government has blocked all key sources of information, particularly news and media outlets, and Roskomnadzor was tasked to block Facebook, Twitter, and other online platforms.”

Update: CaddyWiper Data Wiper Attacks Ukraine

March 18, 2022

March 14th, 2022: CaddyWiper Data Wiper Attacks Ukraine

Industry: N/A | Level: Strategic | Source: BleepingComputer

Initially discovered by ESET researchers and reported by BleepingComputer, a new data-destroying malware named CaddyWiper is attacking Ukrainian organizations. Shared from ESET’s Twitter, “ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.” Interestingly the malware conducts a check on the host to validate if it’s a domain controller and if so, the data on the domain controller will not be affected. ESET hypothesizes this exclusion is to ensure access is retained by the attacker. Analysis of the malware identified it was compiled on Monday, March 14th, 2022 at 07:19:32 UTC. While the malware does not share “significant code similarity” with prior wipers, CaddyWipper’s deployment is similar to HermaticWiper as ESET tweet states, “similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand.”

Threat Group Delivers Cobalt Strike Through AV Updates

March 18, 2022

March 14th, 2022: Threat Group Delivers Cobalt Strike Through AV Updates

Industry: Critical Infrastructure | Level: Strategic | Source: BleepingComputer

The Ukrainian Computer Emergency Response Team alerted users to a phishing campaign impersonating the Ukrainian government. The campaign prompts potential victims into downloading fraudulent “critical security updates” to ultimately deliver a Cobalt Strike beacon. The alerted activity has been observed by the MalwareHunterTeam and is reported by BleepingComputer. The phishing email contains a malicious link that downloads a executable masquerading as “itdefenderWindowsUpdatePackage.exe” and when executed, prompts itself to “installing the Windows update package” however, if installed the user actually downloads a Cobalt Strike beacon from Discord. Additional backdoors are dropped on the victim host, establishing persistence, conducting reconnaissance and command execution to achieve the threat actor’s objective. The Ukrainian Computer Emergency Response Team attributed this threat activity with medium confidence to the Russian threat group, UAC-0056/Lorec53.

Utilizing Cloud Technology in Russia and Ukraine

March 18, 2022

March 16th, 2022: Utilizing Cloud Technology in Russia and Ukraine

Industry: Digital Services, Education, Media, Network, Technology, Telecommunications | Level: Strategic | Source: AquaSec

Analysis from AquaSec’s Team Nautilus tracked the use of cloud technologies associated with the Russia and Ukraine conflict. The review focused on public repositories including DockerHub, GitHub, NPM, GO, Python and Ruby. The DockerHub repository contained the most resources associated with the conflict, followed by GitHub, NPM, GO, Python and Ruby. Analysis from AquaSec identified “about 40% of the packages we observed were related to denial-of-service (DoS) activity aimed at disrupting the network traffic of online services. Other public repositories provided information to Ukrainian and Russian citizens or tools to block user networks from the conflict area.” In regards to the DockerHub container images, those provided to assist with DDoS attacks against Russia showed steps to initiate the attack as well as a target list. A review of attacks in the wild by AquaSec, identified targets by sectors for DDoS attackers were mainly (in order) network, media, technology, digital services, telecommunications and education.’

Anonymous Attacks Russian Government Sites

March 18, 2022

March 16th, 2022: Anonymous Attacks Russian Government Sites

Industry: Government | Level: Strategic | Source: HackRead

As the result of DDoS attacks, the Anonymous group appeared to have taken down multiple Russian government sites. Reported by HackRead, the impact sites are “Federal Security Service (aka FSB, the principal security agency of Russia), Stock Exchange, Analytical Center for the Government of the Russian Federation, and Ministry of Sport of the Russian Federation.” The Russian Stock Exchange’s website was identified to be offline when the article was published on March 15th, 2022, the attack spanned over seven hours with several targeted sites remaining inaccessible.

Ukraine Targeted with Fraudulent Translation Software

March 18, 2022

March 16th, 2022: Ukraine Targeted with Fraudulent Translation Software

Industry: N/A | Level: Tactical | Source: SentinelOne

SentinelOne identified threat actor group, SaintBear (aka UAC-0056, UNC2589, TA471) distributing fraudulent translation software to users in Ukraine to infect them with malware GrimPlant and GraphSteel. The fraudulent translation software is complied in python and has been identified as early as February 2022 in threat campaigns. When dropped on the victim’s host, the malware downloads additional .exe payloads, runs reconnaissance commands, establishes persistence and collects credentials.

  • Anvilogic Scenario: SaintBear – Fraudulent Software – Infection Flow
  • Anvilogic Use Cases:
    • Executable File Written to Disk
    • Common Reconnaissance Commands
    • Query Registry
    • New AutoRun Registry Key
    • Windows Credentials Editor

Protestware

March 18, 2022

Protestware

Industry: Technology | Level: Strategic | Source: Synk

To protest the ongoing conflict between Russia and Ukraine, the developer of NPM package, node-ipc, released compromised versions of the software for users in Russia and Belarus. Sabotaged versions of the packages were released on March 8th by the developer Brandon Nozaki Miller, aka RIAEvangelist. Described by Snyk as a supply chain-style attack, compromised versions of the package cause impact on the victim host by “corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms.” Tracked under CVE-2022-23812, the reported malicious versions of the software are node-ipc versions 10.1.1 and 10.1.2, the versions are no longer available on GitHub or npm with version 10.1.3 released, that does not contain the delete operations in the code.

RURansom Wiper

March 18, 2022

March 9th, 2022: RURansom Wiper

Industry: N/A | Level: Strategic | Source: TrendMicro

A new wiper has been discovered associated with the Russian and Ukraine conflict. This wiper is targeted against Russia and is named RURansom Wiper. As reported by TrendMicro the malware was detected between February 26 and March 2, 2022, and is likely in development due to different variations being observed. Identified in the malware, the “ransom note” contained the following translated message, “on February 24, President Vladimir Putin declared war on Ukraine….To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President.”, There is no way to decrypt your files. No payment, only damage. And yes, this is \peacekeeping\ like Vladi Papa does, killing innocent civilians.” The malware appears to only be targeting Russian assets as versions analyzed, identified it only executing if the host’s software is Russian or the IP is in Russia. Additionally the developer of the malware appears to also be developing a malware,  dnWipe, which encodes specific files “file extensions: .doc, .docx, .png, .gif, .jpeg, .jpg, .mp4, .txt, .flv, .mp3, .ppt, .pptx, .xls, and .xlsx” in base64.

Malware “Liberator” Targets Ukraine

March 18, 2022

March 10th, 2022: Malware “Liberator” Targets Ukraine

Industry: N/A | Level: Strategic | Source: CiscoTalos

Cybercriminals are taking advantage of sympathizers and supporters of the Russia and Ukraine conflict. There have been observed fraudulent donation schemes and phishing emails taking advantage of the crisis. The latest as reported by Cisco Talos infostealer malwar. Liberator, is being distributed to Ukraine sympathizers under the guise of a DDoS tool to target Russia. The malware is distributed through Telegram targeting members of the Ukraine IT Army. Cisco Intelligence identifies the threat actor associated with the activity has been active since November 2021 distributing various types of information stealers and are taking advantage of the crisis.

Lapsus$ Breaches Mercado Libre

March 15, 2022

Lapsus$ Breaches Mercado Libre

Industry: E-Commerce | Level: Strategic | Source: BleepingComputer

Threat group, Lapsus$’s recent string of breaches, including Nvidia and Samsung, has now added Argentine e-commerce giant, Mercado Libre, Inc. to the compromise list. As reported by BleepingComputer, “unauthorized access” was identified on the company’s source code potentially impacting approximately 300,000 of the company’s users. From the company’s Securities and Exchange Commission (SEC) Form 8-K filing, the breach did not impact the company’s IT infrastructure. Mercado provided the following statement, “Although data from approximately 300,000 users (out of our nearly 140 million unique active users) was accessed, to date and according to our initial analysis, we have not found any evidence that our infrastructure systems have been compromised or that any users’ passwords, account balances, investments, financial information or credit card information were obtained. We are taking strict measures to prevent further incidents.”