Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
CISA Update on Conti Ransomware
The Cybersecurity & Infrastructure Security Agency (CISA) has updated alert AA21-265A, tracking Conti ransomware and providing new indicators of compromise (IOC) associated with the group. Conti ransomware has impacted over 1,000 organizations in the U.S. and internationally, often using Trickbot and Cobalt Strike as prevalent attack vectors. The group typically gains initial access through phishing emails or stolen accounts, employing various post-compromise techniques such as RDP brute force attacks, Kerberos attacks, running discovery commands to enumerate networks, spreading via SMB, stopping services, and deleting shadow copies.
CVE-2022-26143: TP240PhoneHome
A sharp increase in DDoS attacks utilizing UDP port 10074 has been observed since mid-February 2022 by researchers from Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, NETSCOUT Arbor ASERT, TELUS, Team Cymru, and The Shadowserver Foundation. The source of this activity, CVE-2022-26143, has been traced to MiCollab and MiVoice Business Express collaboration systems produced by Mitel. The attacks exploit the tp240dvr service, designed for stress-testing clients, which should not be exposed to the internet. An estimated 2600 systems were improperly provisioned, enabling attackers to execute high-volume reflection/amplification DDoS attacks. Impacted industries include financial, gaming, and logistics. The largest observed attack reached approximately 53 million packets-per-second (mpps) and 23 gigabits-per-second (gb/sec) over a 5-minute duration. Mitel is currently working on a patch to disable the exposed system test facility.
Cybereason LOLBins & BITSadmin
Cybereason's threat hunting post examines the abuse of Living Off the Land Binaries (LOLBins), with a focus on BITSadmin. Malware variants like Astaroth and Egregor exploit these trusted binaries to download payloads and move files. The post highlights various LOLBins and their malicious uses.
Emotet Surges in Japan
Cybereason reports a surge in Emotet malware targeting Japanese organizations in the first quarter of 2022. The malware is distributed via malicious Excel documents and executed using regsvr32 with a .ocx file extension. Emotet establishes persistence in the registry and conducts reconnaissance without using PowerShell for deployment.
Cyber Incident Reporting Bill
The U.S. Senate has approved legislation mandating critical infrastructure operators to report breaches to CISA within 72 hours and ransom payments within 24 hours. This bill, expected to be signed by President Biden, aims to enhance intelligence sharing and national cybersecurity.
BazarLoader Malware Leverages Contact Forms
Abnormal Security observed BazarLoader exploiting online contact forms from December 2021 to January 2022. Attackers posed as prospective customers to send malicious links via file sharing services like TransferNow and WeTransfer. The downloaded files included an ISO file (a .lnk shortcut) and a .log file (the BazarLoader DLL). If executed, the shortcut file used regsvr32.exe to run the DLL, injecting it into svchost.exe. The campaign likely aims to deploy Conti ransomware or Cobalt Strike."
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
