AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
The Anvilogic Threat Reports
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.
We are committed to (read more…)
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.
- Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
- Strategic: General information security news, for awareness
About the Team
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.
Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:
- Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
- Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
- Reports Hot off the forge:
- Threat News Reports
- Trending Threat Reports
- Research Articles
If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at email@example.com.
Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.
If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: firstname.lastname@example.org
Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
Industry: N/A | Level: Tactical | Source: HP – ThreatResearch
Industry: N/A | Level: Tactical | Source: SafeBreach
Research from SafeBreach Labs investigated activity from an Iranian threat actor utilizing MSHTML vulnerability CVE-2021-40444, along with a PowerShell information stealer script designated as “PowerShortShell.” The PowerShell script is named due to its short 153 lines of code that collects and provides crucial information about the victim’s environment to the adversary. The collected information includs screen captures, telegram files, and document collection. The described attack chain involves a malicious email and word document and a DLL drop to the %temp% directory that downloads and executes the PowerShortSell.
- Anvilogic Scenario: AVL_UC8308 – PowerShortShell Behaviors
Industry: Financial, Government, Law, Military and Technology | Level: Operational | Source: SecureList
The WIRTE group has been conducting campaigns utilizing malicious Excel 4.0 macros, targeting high-profile public and private entities, Kaspersky research recently shared. While there is a specification of attacks with entities in the Middle East, researchers are reporting impacts from other regions as well. The WIRTE group utilizes living-off-the-land (LotL) techniques to evade detection and Kaspersky places low confidence attribution that the WIRTE group is associated with the Gaza Cybergang threat actor. An observed attack chain involves a phishing campaign to distribute the malicious document. Once ran a VBS script writes an embedded PowerShell command and creates persistence in the registry. LitePower, a PowerShell implant, acts as the downloader and secondary stage by communicating with the C2 to download or deploy additional malware.
- Anvilogic Scenario: WIRTE’s LotL campaign
- Anvilogic Use Cases:
- Wscript/Cscript Execution
- Add DLL/EXE Registry Value
- Registry key added with reg.exe
- Create/Modify Schtasks
APT37 and APT37Malware
Industry: Media & Nonprofit | Level: Tactical | Source: SecureList
North Korean nation-state sponsored group APT37/ScarCruft/Temp.Reaper has been identified by Kaspersky for targeting South Korean journalists defectors, and human rights activists. The group utilized malware, Chinott, distributing through watering holes, spear-phishing emails, and smishing attacks. A news organization had data stolen and evidence found the attackers had access to their environment for several months. The malware versions were observed in PowerShell, Windows, and Android with similar command and control schemes based in HTTP. Additional malware capabilities observed the ability to modify registry keys (specifically enabling trust access for VBA), register a PowerShell command in the Run registry for persistence to execute an HTA file with mshta, and collect files staged a bat folder.
- Anvilogic Scenario: APT37 & “Chinotto” Malware
- Anvilogic Use Cases:
- Query Registry
- New AutoRun Registry Key
- MSHTA.exe execution
- Data Staged to File
Prodraft Researchers Identify a Conti Server
Industry: N/A | Level: Strategic | Source: TheRecord
Researchers at Prodaft were able to identify an exposed server associated with the Conti ransomware gang. The server is used for payment or site recovery victim visit to negotiate ransom payments. Researchers were able to maintain access to the server for several weeks observing network traffic connecting to the server. The traffic was largely victim IP addresses, but observed SSH traffic was likely the ransomware operators. Unfortunately, the SSH IP addresses were associated with Tor exit nodes. When Prodaft published their report of this activity, the ransomware gang was immediately aware and took the server offline.
Vestas Wind Systems Impacted by Cyberattack
Industry: Manufacturing | Level: Strategic | Source: Vestas
Vestas Wind Systems, a wind turbine manufacturer, suffered a cyberattack on Friday, November 19th, 2021. The latest company update as of November 22nd, indicated they were still working to get systems online with investigations still ongoing. Preliminary findings reported by the company have identified impacts to Vestas’ internal IT infrastructure and at this stage no indication the incident impacted third party operations involving customer and supply chain operations.
GoDaddy Data Breach
Industry: Technology | Level: Strategic | Source: BleepingComputer
Hackers gained access to GoDaddy’s WordPress hosting environment through a data breach affecting up to 1.2 million customers. While GoDaddy identified the unauthorized activity on Wednesday, November 17th, the review identified the hackers had been breaching the systems since at least September 6th, 2021. A compromised password was used by the hackers. Impacted data involved customer numbers and email addresses, WordPress admin password, sFTP database username and passwords (for active customers) and for several customers, their SSL private key was exposed.
CVE-2021-41379 Patch Bypass = InstallerFileTakeOver
Industry: N/A | Level: Tactical | Source: BleepingComputer
Security researcher, Abdelhamid Naceri, was able to bypass a vulnerability Microsoft intended to patch as part of the November 2021 patch cycle, tracked under CVE-2021-41379. The exploit is tracked under the name, InstallerFileTakeOver. The exploit affects all supported versions of Windows including Windows 10, 11 and Windows Server 2022, enabling a user to obtain admin level privileges. BleepingComputer validated the ease and use of the exploit, “tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.”
- Anvilogic Use Case: Potential InstallerFileTakeOver CVE-2021-41379
Memento Team, Ransomware Gang
Industry: N/A | Level: Operational | Source: Sophos
Ransomware gang, Memento Team, was observed by Sophos to have bypassed encryption protection using password-protected archives with WinRAR when the group’s initial Python 3.9 script was stopped by endpoint protection. The group was active in their victim’s network for a long time as there was a six-month dwell time from their initial access in April 2021, exploiting CVE-2021-21972 a vCenter vulnerability. During the threat actor’s time on the compromised network, they also deployed two coin-miners, XMR on May 18th, and XMRig on September 8th, which led to the victim’s network being encrypted with a password archive in October.
- Anvilogic Scenario: Memento Team – Behavior
Red Canary Intelligence Insights from October 2021
Industry: N/A | Level: Tactical | Source: RedCanary
Intelligence insights from October 2021, provided by Red Canary, show Mimikatz, Yellow Cockatoo/Jupiter infostealer and TA551 as the top three threats out of five since August. Notable rises to the top ten threats are Qbot and Wannacry.
Anvilogic Use Case