Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Attackers' Bluff Exposed in S3 Bucket Deletion Scam
Cybersecurity analyst Stephan Berger (@malmoeb) has exposed a scam involving the deletion of AWS S3 buckets, where attackers then demand a ransom. The incident began with reconnaissance in January 2024, escalating to the deletion of an S3 bucket in February. The attackers left a ransom note and a supposed recovery binary, which Berger identified as a decoy designed to pressure victims into paying the ransom. The investigation revealed that only a small fraction of data was compromised, highlighting the deceptive nature of the attackers' claims. This analysis underscores the importance of skepticism and thorough investigation in the face of ransom demands.
More Ransomware Gangs Pounce on ScreenConnect Vulnerabilities
Trend Micro reports escalating ransomware attacks by Black Basta and Bl00dy gangs exploiting ScreenConnect vulnerabilities, CVE-2024-1708 and CVE-2024-1709, in versions 23.9.7 and earlier. The vulnerabilities, leading to ransomware deployment and data theft, are a critical security risk requiring immediate action. Attackers utilize sophisticated techniques, including path traversal and authentication bypass, to conduct reconnaissance, escalate privileges, and deploy malicious payloads such as Cobalt Strike beacons. These findings underscore the importance of updating and securing network environments against these emerging threats.
Government Agencies Warn of ALPHV's Aggression Against Healthcare Organizations
The FBI, CISA, and HHS have issued a joint cybersecurity advisory warning of increased ALPHV/Blackcat ransomware attacks on the healthcare sector. Despite actions against the gang in December 2023, their activity persists with enhanced tactics. The advisory highlights the use of sophisticated tools and techniques, emphasizing the healthcare industry's need for heightened security measures and vigilance.
LockBit Ransomware Infrastructure Dismantled in Multi-Country 'Operation Cronos' Effort
'Operation Cronos,' a collaborative effort by law enforcement in ten countries, has significantly disrupted the LockBit ransomware group, leading to the takedown of 34 servers and the arrest of two major actors. This operation, which inflicted billions in damages globally, showcases the international commitment to combating cybercrime. Despite the takedown, LockBit vows to continue operations, hinting at increased targeting of governmental sectors. This unfolding scenario underscores the persistent and evolving threat of ransomware and the importance of global cooperation in cybersecurity efforts.
Critical Vulnerabilities in ScreenConnect Remote Access Software Dubbed 'SlashAndGrab'
ConnectWise's ScreenConnect faces critical vulnerabilities, CVE-2024-1709 and CVE-2024-1708, enabling authentication bypass and path traversal attacks. Labeled 'SlashAndGrab' by cybersecurity experts, these flaws pose severe risks including remote code execution and data compromise. Urgent patching is advised for versions up to 23.9.7, with exploitation leading to LockBit ransomware and AsyncRAT deployment. Detection guidance includes monitoring ScreenConnect directories for suspicious file modifications and leveraging Advanced Auditing policies.
BfV and NIS Issue Joint Advisory on North Korean Cyber Threats to Defense and Research Sectors
Germany's BfV and South Korea's NIS issue a joint advisory on North Korean cyber-espionage targeting defense and research sectors. Highlighting campaigns like a sophisticated supply-chain attack and "Operation Dream Job," the advisory emphasizes the need for robust security measures. Techniques include social engineering and malware deployment, aiming to exfiltrate military technologies. Recommendations include enforcing least privilege, strong passwords, and multi-factor authentication to mitigate these threats.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
Trusted by leading teams at
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
