Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Red Canary Gives Insights of Where BITSAdmin Can Initiate a Investigation
Red Canary's detailed blog post highlights the crucial aspects of detecting and responding to a potential cyber threat involving the BITSAdmin tool. The incident began with an alert triggered by BITSAdmin downloading a suspicious file, flagged due to unusual admin activities and connections to a Russian IP. Further investigation revealed the creation of admin accounts with passwords linked to Russian business entities and interests.
Abuse of OAuth Applications for Cryptomining and Phishing
Microsoft's Threat Intelligence team has identified a significant increase in cyber threats exploiting OAuth applications for financial gains. Attackers are manipulating OAuth, a secure authorization protocol, to automate malicious actions like deploying virtual machines for cryptocurrency mining, establishing persistence in BEC campaigns, and initiating large-scale spamming activities. In one case, threat actor Storm-1283 used a compromised account to create an OAuth application, deploying virtual machines for cryptomining and incurring compute fees up to $1.5 million USD.
Lazarus Targets the Continued Relevance of the Log4j Vulnerability
Cisco Talos reports that the North Korean state-sponsored Lazarus Group, as part of Operation Blacksmith, continues to exploit the two-year-old Log4j vulnerability, CVE-2021-44228, for initial access. This campaign involves new DLang-based malware targeting industries in South America and Europe. The Lazarus Group, encompassing various sub-groups like Andariel APT, employs these advanced tactics to support North Korea's national interests.
Octo Tempest Flourishing with High-Pressure Social Engineering Attacks
Octo Tempest, a financially motivated cyber threat group, has escalated its sophisticated cyberattacks since first being detected in March 2022. Microsoft's research highlights the group's advanced social engineering tactics, strategically focusing on high-privilege users within targeted organizations. Techniques include SIM-swapping and impersonation, often convincing users to change passwords or reset MFA settings.
APT28's Persistent Attacks Abuses Outlook Vulnerability, CVE-2023-23397 Since 2022
APT28, a Russian state-sponsored threat group, has been actively exploiting a critical privilege escalation vulnerability, CVE-2023-23397, in Microsoft Outlook. Identified by Unit 42, this exploitation dates back to March 2022, targeting over 30 organizations in 14 nations. The victims span a wide range of industries, including government, defense, energy, telecommunications, and more, primarily targeting NATO-related entities.
Securing the Cloud: Red Canary's Insightful Report on STS Abuse Tactics
Red Canary's threat detection blog highlights the critical role of AWS's Secure Token Service (STS) in cloud security. The report reveals how adversaries abuse STS to impersonate user identities and roles within AWS, leading to significant security threats. Common methods of initial access include malware infections, phishing, and exposed credentials, enabling adversaries to compromise long-term IAM tokens (AKIA).
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
-min.png)
The World's Best SOC Teams Use Anvilogic
.svg)
