Microsoft reports on lessons learned during the first four months of the Russia and Ukraine cyber war. Russia has been observed to increase intelligence activities against Ukrainian allies with the goal to collect sensitive information from NATO and Western powers.
The Anvilogic Threat Reports
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.
We are committed to (read more…)
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.
- Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
- Strategic: General information security news, for awareness
About the Team
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.
Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:
- Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
- Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
- Reports Hot off the forge:
- Threat News Reports
- Trending Threat Reports
- Research Articles
If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at email@example.com.
Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.
If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: firstname.lastname@example.org
Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform
Rising since the second quarter of 2022, McAfee labs have observed an increase in the use of LNK (shortcut files) in attacks to deliver malware such as Emotet, Qakbot, IcedID and etc.
IsaacWiper and HermeticWizard
Industry: N/A | Level: Tactical | Source: WeLiveSecurity
Researchers at ESET have identified another wiper, IsaacWiper that was compiled as early as October 19th, 2021 and deployed against Ukraine on February 24th, 2022. There are limited details regarding IsaacWiper, as investigation is still on-going. Alternatively, a new support malware for HermeticWiper was identified named HermeticWizard. The malware HermeticWizard aids the wiper component as it “spreads HermeticWiper across a local network via WMI and SMB.” There are no coding similarities between the two wiper malware HermeticWiper and IsaacWiper. Both HermeticWiper and HermeticWizard use the same (now revoked) code-signing certificate from “Hermetica Digital Ltd issued on April 13th, 2021.”
- Anvilogic Scenarios:
- Trojan.Killdisk/HermeticWiper – Execution Behaviors
- HermeticWizard – Behaviors
- Anvilogic Use Cases:
- regsvr32 Execution
- Rundll32 Command Line
- Windows Admin$ Share Access
Sandworm Team New Malware, Cyclops Blink
Industry: N/A | Level: Tactical | Source: NCSC
The National Cyber Security Centre (NCSC) reports a new Linux malware, Cyclops Blink is being attributed to the Russian threat group, Sandworm Team. The malware is associated with a large-scale botnet that has been active since June 2019, targeting Small Office/Home Office (SOHO) network devices. The malware possesses a modular framework with capabilities to “download/upload files, extract device information, and update the malware have been built-in and are executed at startup.” The malware runs as, “a process named [kworker:0/1],” gathers system information at regular intervals and persists on the system through a firmware update. Lastly, for command and control Cyclops Blink leverages, “OpenSSL (version 1.0.1f) to support C2 communication underneath TLS. Each time the malware beacons it randomly selects a destination from the current list of C2 server IPv4 addresses and hard-coded list of C2 ports.”
- Anvilogic Use Cases:
- Common Reconnaissance Commands
- File Download
Dragos 2021 Industrial Control System (ICS)/Operational Technology (OT)
Industry: Critical Infrastructure | Level: Tactical | Source: Dragos
Dragos provides insight on the impact of cybersecurity in Industrial Control System (ICS)/Operational Technology (OT) during the 2021. The report identified within the ICS sector as the manufacturing sector being the most targeted, having 211 ransomware compromises, followed by food and beverage with 35, and transportation with 27. The most heavily impacted manufacturing group by subsector involved metal products, automotive and plastics technology. Overall attacks have largely been attributed to LockBit 2.0 and Conti, accounting for 51% of all attacks and 70% of the attacks targeting manufacturing. Targeting of the manufacturing sector is often due to a lack of information security practices with Dragos citing poor perimeter security, external connectivity and use of shared credentials. Dragos engagement with an electric operator identified a compromise that was made simplified due to poor network controls, “Because of a weak security posture and no network segmentation, the adversary gained access to the domain controller and other key systems at the plant.” The attacker’s initial tactic involves a smash and grab, exfiltrating data of interest until laying low for a week. Following a week’s silence, steps for ransomware deployment were implemented as attackers “deployed scripts and tools to weaken the company’s defenses, such as Microsoft Defender, and deployed ransomware through the Group Policy, WinRM, and PSExec-as-a-service to most systems on the network,” as well as attempting to hinder forensics analysis by clearing Windows logs and disabling logging.
- Anvilogic Use Cases:
- Modify Group Policy
- WinRM Tools
- Remote Admin Tools
- Clear Windows Event Logs
Sophos investigation has identified two organizations in media and government reporting of cyberattacks using Entropy ransomware.
Symantec reports findings of Trojan.Killdisk, a disk-wiping malware discovered on February 24, 2022 prior to the Russian invasion of Ukraine.
Banking outage in Canada
Industry: Financial | Level: Strategic | Source: BleepingComputer
Reported by BleepingComputer on February 16th, 2022, an apparent outage for “Royal Bank of Canada (RBC), BMO (Bank of Montreal), Scotiabank, TD Bank Canada, and the Canadian Imperial Bank of Commerce (CIBC)” inhibited customers from accessing or using services in their online and mobile banking portals. The issues for the banks ranged throughout the day peaking between the hours of 17:00 – 18:00 EST. A customer Bank of Montreal cited issues with the “Global Money Transfer service” and desired transactions getting auto-rejected. The Royal Bank of Canada suffered sporadic issues with systems allegedly restored and verified on Twitter only for customers to report issues shortly after.
Analysis of Ukraine’s DDoS Attack
Industry: Government, Financial and Military | Level: Strategic | Source: CadoSecurity
CadoSecurity provided an analysis of the Distributed Denial-of-Service (DDoS) attack impacting Ukrainian “banks, government and military websites” on February 15th and 16th, 2022. The scale of the attack pertaining to banks PrivatBank and Oschad, was identified to be moderate in severity as the sites were able to return to operating levels within a few hours. A review of the attack infrastructure by Ukrainian CERT, 360Netlab and BadPackets identified the botnet source as Katana botnet, which is a variant of Mirai botnet. The attack has been attributed to Russia from the U.S on Friday, February 18th, 2022 to which Russian officials have denied.
Meyer Corporation Ransomware Attack
Industry: Manufacturing | Level: Strategic | Sources: BleepingComputer & NotificationLetter
On October 25th, 2021, Meyer Corporation, a cookware distributor, suffered a ransomware attack, reported by BleepingComputer. Review of the incident was completed on December 1st, 2021, identifying the compromise of employee data. Meyer Corporation subsidiaries “Hestan Commercial Corporation, Hestan Smart Cooking, Hestan Vineyards, and Blue Mountain Enterprises, LLC” employee data was also compromised. Information from the breach included names, addresses, date of birth, social security numbers, passports, government ID numbers and more. Meyer Corporation’s data breach notification doesn’t contain specific details regarding the attack however, BleepingComputer identified from Conti’s extortion site a entry on November 7th, 2021 that coincides with the attack timeline. The site contained 2% of alleged Meyer’s data that was stolen however since the posting, there is no additional follow-up with potential outcomes being “either an indication of their willingness to negotiate indefinitely or due to losing interest.”
Notorious malware, Trickbot appears to be losing relevance, seeming to be no longer as stealthy as it once was and Conti absorbing its key developers.
Financial Fraud with Exchange Vulnerabilities
Industry: N/A | Level: Tactical | Source: Sophos
Malware loader, Squirrelwaffle emerged in September 2021 and continues its spread through exploiting Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities. Observed by Sophos, hijacked emails are used to advance the spread of Squirrelwaffle, Sophos investigations also identified attackers committing financial fraud attacks using the information obtained from the hijacked emails. The hijacked emails contained information for customer payments, the attackers created a “typo-squatted” domain and sent fraudulent replies to an email thread requesting assistance in a manner providing them access to the victim’s payments.