Anvilogic Forge Threat Research Reports

Here you can find an accumulation of trending threats published weekly by the Anvilogic team.

All Threat Reports

Categories

All
Show More

Industries

All
Show More

Levels

All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
This is some text inside of a div block.
09
-
21
-
2023
Level:
Tactical
|
Source:

Six Month Intrusion of an Asian Electrical Company

Threat actors, identified as Redfly, breached an Asian national grid for a total of six months, starting on February 28th, 2023, as reported by Symantec. Their operations, which culminated on August 3rd, included a series of actions like compromising credentials, using keyloggers, deploying drop loaders, and infecting additional network hosts. Notably, they showed a clear intent by targeting critical infrastructure organizations. While their attack pattern was intermittent, they were most active in May, showing several activities on specified dates, deploying payloads, stealing credentials, and establishing persistence. Their activity spiked again at the end of July. The persistent targeting of critical infrastructure by Redfly presents a significant threat, with the potential to disrupt essential services, particularly during politically tensed times.

Critical Infrastructure
This is some text inside of a div block.
09
-
21
-
2023
Level:
Tactical
|
Source:

Iran-Linked APT33/Peach Sandstorm Ongoing Password Spray Attacks Unveiled by Microsoft

Microsoft disclosed activities linked to Peach Sandstorm (known as APT33, Elfin, and Refined Kitten), an Iranian threat actor, launching password spray attacks since February 2023. The focus has been on industries like satellite, defense, and pharmaceuticals, especially in countries like Israel, the US, Brazil, and the UAE. This shift narrows down from their previous target sectors such as aviation and healthcare. The motive appears to be supporting Iranian state interests by collecting vital intelligence.

Defense
Pharmaceutical
Telecommunications
This is some text inside of a div block.
09
-
21
-
2023
Level:
Tactical
|
Source:

BumbleBee Swarms with QakBot's Takedown

Following the QakBot disruption by the FBI, there's been a surge in BumbleBee malware attacks. Kostas, a notable security researcher from the DFIR Report community, has outlined a BumbleBee tactic where the malware uses command line actions to map a network drive to a remote site, transfer user credentials, download a file, and search for 'notepad.exe' files. The method suggests potential file manipulation, highlighting the shifting tactics in the malware landscape post-QakBot's takedown.

Global
This is some text inside of a div block.
09
-
21
-
2023
Level:
Strategic
|
Source:

A String of CryptoWallet Thefts Point to Cracked LastPass Vaults

Following the 2022 LastPass data breach, investigative journalist Brian Krebs points to an alarming rise in CryptoWallet thefts. Key voices from the industry, such as MetaMask's Taylor Monahan and Unciphered's Nick Bax, echo these concerns. The ongoing situation underscores the vulnerabilities even in renowned security platforms and the increasing sophistication of cyber threats.

Technology
This is some text inside of a div block.
09
-
21
-
2023
Level:
Strategic
|
Source:

Storm-0324 An Enabler of Ransomware

Microsoft's latest research unveils the threat actor Storm-0324, active since 2016, now targeting via Microsoft Teams chats. Historically using email-based vectors with deceptive themes, their move signifies an evolution in attack strategy. They've distributed malware like IcedID and ransomware such as Sage. Notably, from 2019, Storm-0324 has primarily spread JSSLoader, which could escalate to a ransomware impact when handed to groups like Sangria Tempest.

Global
This is some text inside of a div block.
09
-
14
-
2023
Level:
Tactical
|
Source:

Okta Warns of a Intricate Attack Targeting Privileged Accounts

Recent findings from Okta reveal a meticulously crafted series of social engineering attacks targeting their US-based customers. These attackers aim for the most privileged admin accounts. After succeeding, they exploit identity federation features, mimicking users within the compromised organizations. Okta's insights show the threat actors possess either direct access to privileged account passwords or the ability to interfere with Active Directory. They've also leveraged a unique tactic by employing a secondary identity provider to act as an impersonation tool.

Global

We curate threat intelligence to provide situational awareness and actionable insights

Threat Identifier Detections

Atomic detections that serve as the foundation of our detection framework.

Threat Scenario Detections

Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.

Reports Hot Off the Forge

Threat News Reports
Trending Threat Reports
ResearchArticles

Intelligence Levels for Threat Reports

Tactical

Detectable threat behaviors for response with threat scenarios or threat identifiers.

Strategic

General information security news, for awareness.

The World's Best SOC Teams Use Anvilogic

Paypal Logo
Rubrik Logo
Deloitte Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
Sigma Logo
Crypto.com Logo
CSC Logo
Rakuten Mobile Logo
St. George's University Logo
Paypal Logo
Rubrik Logo
Deloitte Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
TJX Logo
Sigma Logo
Crypto.com Logo
CSC Logo
Rakuten Mobile Logo
St. George's University Logo
Paypal Logo
Rubrik Logo
Deloitte Logo
Ebay Logo
Regeneron Logo
SurveyMonkey Logo
TradeWeb Logo
Alteryx Logo
First Citizens Bank Logo
TJX Logo
Sigma Logo
Crypto.com Logo
CSC Logo
Rakuten Mobile Logo
St. George's University Logo

Scale Detection Engineering And Threat Hunting Across All Of Your Data Lakes And Security Tools.

Scale Detection Engineering And Threat Hunting Across All Of Your Data Lakes And Security Tools.