Anvilogic Forge Threat Research Reports

ONUS Compromised from Log4Shell

The ONUS cryptocurrency platform was compromised via the Log4Shell vulnerability, leading to the exposure of 2 million users' data. Attackers exploited insecure AWS S3 configurations to access sensitive information and deploy a backdoor, allowing further access. The attack revealed user EKYC data, personal information, and password hashes.

Purple Fox Rootkit

Minerva reports a malicious Telegram installer, identified by MalwareHunterTeam, spreading the Purple Fox rootkit. The installer evades detection, modifies the registry, and bypasses UAC. It then exfiltrates information on AV products to the C2 server and downloads the Purple Fox rootkit, compromising the victim's system.

Lapsus$ Ransomware Gang Hacks Portugal's Media Conglomerate, Impresa

Over New Year's weekend, the Lapsus$ ransomware gang hacked Portugal's media conglomerate Impresa, affecting TV channel SIC and newspaper Expresso. The attack forced the media platforms offline and left a ransomware note on defaced sites. Lapsus$ also claimed access to Impresa's Amazon Web Services account.

Log4j 2.17.1

The Log4j 2.17.1 update addresses CVE-2021-44832, a remote code execution (RCE) vulnerability with a score of 6.6. The exploit requires the attacker to modify the Log4j configuration file. The flaw impacts versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). The update fixes the issue by limiting JNDI data source names to the java protocol.

Diavol Ransomware - DFIR Report

The DFIR Report's intrusion analysis reveals that a BazarLoader infection, initiated via a phishing email with a malicious OneDrive link, led to the deployment of Diavol ransomware by Wizard Spider. The attack involved extensive reconnaissance, credential harvesting, lateral movement using RDP and AnyDesk, data exfiltration with FileZilla, and ransomware deployment.

AvoLocker Ransomware Backtracks