Microsoft reports on lessons learned during the first four months of the Russia and Ukraine cyber war. Russia has been observed to increase intelligence activities against Ukrainian allies with the goal to collect sensitive information from NATO and Western powers.
The Anvilogic Threat Reports
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.
We are committed to (read more…)
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.
- Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
- Strategic: General information security news, for awareness
About the Team
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.
Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:
- Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
- Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
- Reports Hot off the forge:
- Threat News Reports
- Trending Threat Reports
- Research Articles
If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at email@example.com.
Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.
If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: firstname.lastname@example.org
Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform
Rising since the second quarter of 2022, McAfee labs have observed an increase in the use of LNK (shortcut files) in attacks to deliver malware such as Emotet, Qakbot, IcedID and etc.
Industry: N/A | Level: Tactical | Source: Cybereason
Cybereason reports of Lorenz ransomware were observed as early as February 2021 and they’re likely a rebranding of .sZ40 ransomware discovered in October 2020. The attackers have compromised over 20 victims targeting predominantly “English-speaking countries” across a variety of industries. The government agency Europol’s European Cybercrime Center was able to set the ransomware group back as part of the “No More Ransom” project, as a limited decryptor was released for the group’s ransomware. The threat group’s attack method is methodical, studying the victim’s network to create a customized and tailored operation. For example, the attackers impersonate ” the target’s employees, suppliers and partners. This way, the Lorenz group can even go from one, already compromised victim, to another.” After gaining a foothold on the network “the attackers start to perform reconnaissance commands, move laterally within the network, and collect sensitive data including credentials, file, databases and emails.” Given the group’s customized attack, threat behavior has varied. Common behaviors associated with the ransomware has identified the use of scheduled task to execute vssadmin to delete volume shadow copies and older samples of Lorenz have cleared windows logs. A unique extortion method the group uses involves selling the compromised data to threat actors or competitors. If the ransom isn’t paid they leak the data publicly. Lastly, the ransomware group also sells access to networks they’ve compromised.
- Anvilogic Use Cases:
- Inhibit System Recovery Commands
- Create/Modify Schtasks
- Registry key added with reg.exe
- Clear Windows Event Logs
Cybereason provides analysis of ALPHV (aka Blackcat) RaaS (Ransomware as a Service), with operators likely associated with Russia.
Conti chats stored from a Jabber communication system were leaked by a Ukrainian security researcher, as reported by BleepingComputer.
Phishing with Citibank Lures
Industry: Financial | Level: Strategic | Source: BleepingComputer
A widespread phishing campaign is luring customers of Citibank as reported by BleepingComputer and investigated by Bitdefender. Threat actors are spreading the phishing email attempting to capture the victim’s CitiBank online login credentials and personal user information. The email urges swift action from the user to avoid account suspension with a link leading to a fraudulent CitiBank login page. Victim statistics for the campaign as tracked by Bitdefender has found targets are predominantly Americans (81%) followed by UK users (7%) and South Korean users (4%). An alternative CitiBank-themed phishing campaign occurred between February 11th and 15th, 2022 incentivizing victims with an opportunity to win monetary prizes that attempt to capture users’ personal information including “full name, address, age, phone number, and a scanned copy of their national ID card.”
Industry: N/A | Level: Strategic | Source: Intel471
Corresponding with AdvIntel’s reports of fading Trickbot activity, Intel471 also reports the noticeably dormant activity from the notorious malware, as no new Trickbot campaigns have been observed in the 2022 year. Tracking of Trickbot campaigns has only identified three during the month of December 2021 with the latest campaign occurring on December 28th, 2021. The activity from December is lower than the eight identified in November 2021. In addition, Intel471 observes a lack of updates to “onboard malware configuration files (mcconf), which contain a list of controller addresses the bot can connect to.” The drop in Trickbot activity is theorized to be due to a shift in operations in favor of Emotet. The lack of Trickbot activity is not a sign the malware operations are dead as its command and control infrastructure remains active. Associated malware to Trickbot such as Emotet, Bazar and Bokbot should be closely monitored especially as they are closely tied to ransomware deployments such as Conti.
Anonymous Hacking Group Takes Aim at Russia
Industry: N/A | Level: Strategic | Source: Joe.co.uk
Russian aggression has provoked hacking group Anonymous who have declared “cyber war” against Russia. From the group’s Twitter handle @YourAnonOne, the group posted the following tweet “The Anonymous collective is officially in cyber war against the Russian government.” The hacking group is making an impact quickly as they have already taken down Russian news websites, “The #Anonymous collective has taken down the website of the #Russian propaganda station RT News.”
Belarusian Hackers, UNC1151 Target Ukraine
Industry: Defense, Military | Level: Strategic | Source: TechCrunch
Reported by TechCrunch and announced from a Ukraine’s Computer Emergency Response Team (CERT-UA) social media post, a phishing campaign conducted by Belarusian state-sponsored hacker group, UNC1151 is targeting Ukrainian military personnel private email accounts. State from CERT-UA, “Mass phishing emails have recently been observed targeting private i.ua and meta.ua accounts of Ukrainian military personnel and related individuals…After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.” Threat activity from UNC1151 has consistently been tied to targeting the Ukrainian military, thus attribution falls in line with the group’s historic trend from the past two years. The threat group is also believed to be attributed to the DDoS attacks against Ukrainian websites by the Kyiv government.
Ukraine’s IT Army
Industry: Email, Government, Technology | Level: Strategic | Source: BleepingComputer
As reported by BleepingComputer, following a call to action by Ukraine’s Minister for Digital Transformation, Mykhaylo Fedorov, a Ukrainian “IT Army” was assembled to “fight on the cyber front.” The group’s operations are communicated through a Telegram Channel and with an initial task targeting 31 Russian targets from a variety of industries and technologies, “This list includes 31 targets, including Russian government agencies, government IP addresses, government storage devices and mail servers, three banks, large corporations supporting critical infrastructure, and even the popular Russian search engine and email portal, Yandex.”
UNC2596 & Cuba Ransomware
Industry: Construction Engineering, Education, Energy, Financial, Government, Healthcare, Legal, Manufacturing, Media, Oil, Technology and Transportation | Level: Tactical | Source: Mandiant
Mandiant reports activity from threat group, UNC2596, deploying Cuba/COLDDRAW ransomware utilizing Exchange vulnerabilities ProxyShell and ProxyLogon. The threat group has targeted over 10 countries with 80% of the organizations based in North America. Industry targets involved many different verticals including construction engineering, education, energy, financial, government, health care, legal, manufacturing, media, oil, technology and transportation. The threat group’s extortion model incorporates a shaming website distributed to victims since 2021. UNC2596 attack tactics have included Mimikatz and user account creation for privilege escalation. Reconnaissance has involved a ping sweeping tool and a PowerShell script that uses “Get-ADComputer”. Lateral movement is facilitated with the use of RDP, SMB, and PsExec. UNC2596 completes its operation by collecting, encrypting and exfiltrating data using batch scripts.
- Anvilogic Use Cases:
- Potential ProxyShell
- Potential PHP Webshell
- Create/Add Local/Domain User
- Potential Ping Sweep
- Common Active Directory Commands
- Remote Admin Tools
- RDP Hijacking
APT29/Nobelium Targets Embassies
Industry: Government | Level: Tactical | Source: Fortinet
- Anvilogic Scenario: Malicious Document Delivering Malware
- Anvilogic Use Cases:
- Rundll32 Command Line
- Suspicious File written to Disk