Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
APT29 Adopts Car Sales Persona for Phishing Campaign
The Russian threat group APT29, also known as Cloaked Ursa, has initiated a new phishing campaign disguising as car sales to deliver malware to pro-Ukrainian diplomats. The campaign, which started in May 2023, revolves around distributing weaponized car flyers, primarily to public email addresses. When an unsuspecting diplomat clicks on the car images within the email, a series of malicious execution flow commences. This involves downloading an ISO container file containing shortcut files, and leading to the injection of a malicious DLL into a Windows process, resulting in the execution of a decrypted final payload. This payload then establishes a connection to both Dropbox and the Microsoft Graph API, serving as its command and control (C2) for further communication. Researchers from Unit 42 note that the campaign focuses more on the diplomats themselves than the countries they represent.
Mandiant Spoils Russia's Military Playbook on Ukraine
Mandiant's recent analysis exposes a six-phase cyber operation by Russia's military intelligence (GRU) against Ukraine, starting in 2019. The six phases include strategic cyber espionage, initial destructive cyber operations, sustained attacks, maintaining footholds, renewed disruptive attacks, and refocus on strategic cyber espionage. The operation targets critical Ukrainian organizations in government, telecommunications, financial services, energy, and transportation. The GRU employs various techniques, including compromising edge infrastructure, stealthy reconnaissance, persistence maintenance, and deployment of disruptive tools like wipers and ransomware. Additionally, the threat actors promote their campaigns on social media channels to boast about their narratives. The Mandiant report highlights the sophistication and strategic planning of these cyber attacks, indicating a deliberate effort by the GRU to increase the speed, scale, and intensity of offensive cyber operations while minimizing detection chances.
Mandiant Sees An Increase of USB Infections in 2023
Mandiant researchers have observed a significant rise in USB infections during the first half of 2023, with their metrics indicating a threefold increase. The campaign targets a wide range of industry sectors, including print shops and hotels, and aims to steal data and provide a foothold for future attacks. The malware used in these attacks, SOGU and SNOWYDRIVE, serve to hijack DLLs and establish a foothold in the victim's systems. The attacker's lifecycle includes implementing persistence mechanisms, escalating privileges, conducting reconnaissance, propagating through the network, and exfiltrating sensitive data. The report highlights the importance of cybersecurity vigilance and the urgent need for preventive measures against such attacks.
TeamTNT Scans Relentlessly to Compromise Targets
In a new aggressive cloud campaign, TeamTNT is aiming to expand its botnet by relentlessly scanning the internet for misconfigurations and exposed services on various platforms. AquaSec researchers Ofek Itach and Assaf Morag, having infiltrated the TeamTNT's command and control (C2) server, discovered that the botnet perpetually scans the entirety of the internet, creating at least two new victims per hour. The increased efficiency of TeamTNT's scanning mechanisms, coupled with its extensive toolbox of scripts, poses a significant global threat that underlines the critical importance of proper configuration and security for cloud instances.
Nickelodeon Admits a Data Breach
Nickelodeon, an American television channel owned by Paramount Media Networks, has admitted to a data breach that resulted in approximately 500GB of compromised document and media files from its animation department. Despite reports of the data leak, Nickelodeon claims the breached data is "decades old." Investigations into the incident are ongoing, and the company has assured the public that the files do not appear to be from a recent system breach. The breach emphasizes the importance of stringent data security measures in the entertainment and media industry.
Major Japanese Port Resume Operations
The Port of Nagoya, one of the largest ports in Japan, has resumed operations after a significant ransomware attack on July 4th, 2023. The attack, linked to the LockBit 3.0 ransomware gang, resulted in major disruptions in cargo handling due to system failures. Despite the delays in restoring operations due to the need for extensive backup data inspections, the port managed to recover without paying a ransom. The incident underscores the vulnerability of vital trading infrastructure to cyber threats.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
Trusted by leading teams at
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
