Anvilogic Forge Threat Research Reports

Lapsus$ Ransomware Gang Hacks Portugal's Media Conglomerate, Impresa

Over New Year's weekend, the Lapsus$ ransomware gang hacked Portugal's media conglomerate Impresa, affecting TV channel SIC and newspaper Expresso. The attack forced the media platforms offline and left a ransomware note on defaced sites. Lapsus$ also claimed access to Impresa's Amazon Web Services account.

Log4j 2.17.1

The Log4j 2.17.1 update addresses CVE-2021-44832, a remote code execution (RCE) vulnerability with a score of 6.6. The exploit requires the attacker to modify the Log4j configuration file. The flaw impacts versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). The update fixes the issue by limiting JNDI data source names to the java protocol.

Diavol Ransomware - DFIR Report

The DFIR Report's intrusion analysis reveals that a BazarLoader infection, initiated via a phishing email with a malicious OneDrive link, led to the deployment of Diavol ransomware by Wizard Spider. The attack involved extensive reconnaissance, credential harvesting, lateral movement using RDP and AnyDesk, data exfiltration with FileZilla, and ransomware deployment.

AvoLocker Ransomware Backtracks

Broward Health Data Breach

Florida-based Broward Health disclosed a data breach that occurred on October 15th, 2021, affecting 1,357,879 individuals. The organization detected the incident four days later and promptly notified the FBI and the US Department of Justice. The breach compromised a range of patient data, including names, birth dates, physical addresses, phone numbers, financial information, social security numbers, emails, and medical information/history.

Aquatic Panda

CrowdStrike's OverWatch team identified Aquatic Panda attempting to exploit the Log4Shell vulnerability on a VMware Horizon instance at an academic institution. The threat actor ran DNS lookups, executed Linux commands on a Windows host, and used PowerShell to download scripts. They also attempted to harvest credentials by dumping LSASS memory. The institution mitigated the attack by patching the vulnerable application.