Microsoft reports on lessons learned during the first four months of the Russia and Ukraine cyber war. Russia has been observed to increase intelligence activities against Ukrainian allies with the goal to collect sensitive information from NATO and Western powers.
The Anvilogic Threat Reports
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.
We are committed to (read more…)
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.
- Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
- Strategic: General information security news, for awareness
About the Team
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.
Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:
- Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
- Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
- Reports Hot off the forge:
- Threat News Reports
- Trending Threat Reports
- Research Articles
If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at firstname.lastname@example.org.
Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.
If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: email@example.com
Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform
Rising since the second quarter of 2022, McAfee labs have observed an increase in the use of LNK (shortcut files) in attacks to deliver malware such as Emotet, Qakbot, IcedID and etc.
ProxyShell & Web Shells
Industry: N/A | Level: Tactical | Source: Mandiant
Mandiant investigations continue to identify exploitation of Microsoft Exchange vulnerabilities as recently as November 2021, with estimates of up to 30,0000 internet-facing servers vulnerable. Threat actor exploits of these vulnerabilities have slightly shifted, “most notably, the writing of web shells via export of exchange certificate requests instead of mailbox exports, and exploitation of the first two vulnerabilities in the exploit chain only to achieve remote PowerShell and create new mailboxes, assign them privileged access to other mailboxes, then access them via Outlook Web Access (OWA)” states the investigation. Three attack paths were observed following the second stage exploitation: a web shell, Microsoft cmdlet (New-ExchangeCertificate to write web shell files) and New-Mailbox/New-RoleGroupMember/Add-MailboxPermission to create a new user to achieve full Exchange administrative capabilities.
- Anvilogic Use Cases
- Potential ProxyShell
- Potential Web Shell
- Web Application File Upload
- Exchange New Export Request
MSTIC identifies Iranian Threat Actors Targeting IT Sector
Industry: Information Technology | Level: Tactical | Source: Microsoft
A report from Microsoft Threat Intelligence Center (MSTIC) has identified an increase of Iranian threat actors targeting the IT sector, specifically service companies, as a means to access downstream customer networks. The report stated, “This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain.” Targeting of the attacks has been identified to compromising organizations of interest to the Iranian regime. The rise in the attacks was observed from Microsoft, prompting more than 1,600 notifications issued to over 40 IT companies this year in regards to Iranian targeting. This is in comparison to only 48 notifications sent in 2020. Attacks have been observed with DEV-0228 compromising an IT provider in Israel in early July 2021, dumping credentials then pivoting to other organizations within the next two months, compromising other organizations that have strong relations with the initial compromised IT company.
- Anvilogic Scenario: GhostShell Behavior
- Anvilogic Use Case: Remote Admin Tools
Some tactical TTP details are shared for PHOSPHORUS/Magic Hound (MITRE: G0059), starting with exploiting vulnerabilities associated with Fortinet FortiOS SSL VPN and Exchange Servers. Following initial access and attack path follows up with lateral movement, credential access, and lastly deploying the ransomware.
MSTIC CyberWarCon Research on Iranian Threat Actor Groups
Industry: N/A | Level: Tactical | Source: Microsoft
Microsoft Threat Intelligence Center (MSTIC), shared research involving six Iranian threat actor groups DEV-0146, RABIDIUM, DEV-0227, PHOSPHORUS, DEV-0198, and DEV-0500. These groups have conducted ransomware attacks in waves, averaging intervals of six to eight weeks, with activity since September 2020. Some tactical TTP details were shared for PHOSPHORUS/Magic Hound (MITRE: G0059), starting with exploiting vulnerabilities associated with Fortinet FortiOS SSL VPN and Exchange Servers, following initial access and attack path follows up with lateral movement, credential access, and lastly deploying the ransomware. Additional strategic details are shared for groups CURIUM and DEV-0343, such as the CURIUM social engineering tactics, DEV-0343 brute-forcing Office365, and operating hours that follow the Iranian working schedule.
- Anvilogic Scenario: Phosphorus Behaviors
Why the Emotet Resurgence by AdvIntel
Industry: N/A | Level: Strategic | Source: AdvIntel
Researchers at AdvIntel observed November 14th, 2021, a resurgence of Emotet and postulates it being the result of, “unfulfilled loader commodity demand, decline of the decentralized RaaS (Ransomware-as-a-Service) model, and the return of the monopoly of organized crime syndicates such as Conti.” Based on AdvIntel’s intelligence tracking, the resurgence appears to have been initiated by a former Ryuk member who convinced a former Emotet operator to rebuild and set up the malware builder. Given the effectiveness of Emotet providing initial access, the prediction is a potential rise/dominance of Conti ransomware. All appear to be motivated by previous successes of an alliance between Emotet, TrickBot, and Ryuk in 2018.
Abuse SilentCleanup Task
Industry: N/A | Level: | Source: GitHub
There’s a task in Windows Task Scheduler called “SilentCleanup” which, while it’s executed as Users, automatically runs with elevated privileges. When it runs, it executes the file “%windir%\system32\cleanmgr.exe”. Since it runs as Users, and its possible to control user’s environment variables, ” %windir%” (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it’ll run as admin. This use case identifies execution of the “SilentCleanup” task.
Industry: N/A | Level: | Source: FireEye
CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory-corruption vulnerabilities, the attacker can easily alter the flow of program execution.
This use case is geared towards detecting the potential malicious Microsoft Office payload(CVE-2017-11882) on host
Server-Side Includes(SSI) Injection
Industry: N/A | Level: | Source: OWASP
Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages. This feature is provided by Server-Side Includes(SSI), which are directives the web server parses before serving the page to the user.
SSI can lead to a Remote Command Execution (RCE), however most webservers have the exec directive disabled by default. This is a vulnerability very similar to a classical scripting language injection vulnerability. OWASP SSI Injection
Industry: N/A | Level: | Source: GitHub
The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This process can then be used to apply specific Kerberos tickets to with the ptt /luid:0xA.. parameter, assuming elevation. This prevents the erasure of existing TGTs for the current logon session.
Industry: N/A | Level: | Source: NIST, CISCO
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software(CVE-2020-3452) could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device.
An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.
The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
Publicly exposed Docker API
Industry: N/A | Level: | Source: TREND Mico, INTEZER, NIST
Docker is a technology that allows you to perform operating system-level virtualization. An incredible number of companies and production hosts are running Docker to develop, deploy, and run applications inside containers.
You can interact with Docker via the terminal and also via remote API. The Docker Remote API is a great way to control your remote Docker host, including automating the deployment, controls, and getting the state of your containers process, and more. With this great power comes a great risk‚ if the control gets into the wrong hands, your entire network can be in danger.
In February, a new docker API vulnerability (CVE-2019-5736) was discovered that allows you to gain host root access from a docker container. The combination of this new vulnerability and publicly exposed remote Docker API can lead to a fully compromised host.
The Docker Remote API listens on ports 2375 / 2376. By default, the remote API is only accessible from the loopback interface (localhost 127.0.0.1), and should not be available from external sources.