Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
An Escalated Campaign with Manic Menagerie 2.0
The 'Manic Menagerie 2.0' threat campaign, an evolution of the original Manic Menagerie, aims to compromise web resources and deploy coin miners for financial gain. It targets web hosting and IT providers mainly in the United States and European Union. The threat actors exploit various vulnerabilities in web applications and IIS servers, deploying web shells to establish a foothold. During the second wave of attacks in 2022, they focused on deploying web shells at scale using a custom tool, strengthening their foothold and hiding web shells in nested folders. The threat actors also escalate privileges, add persistence mechanisms, and use various tools, such as RunasCs, PCHunter, and others, for these operations.
Microsoft Studies BlackBytes' Operations
Microsoft's Incident Response team has studied the operations of BlackByte 2.0, revealing a systematic five-day intrusion process. The attacks start with the exploitation of ProxyShell vulnerabilities, followed by remote command execution and system persistence establishment. BlackByte then uses tools like AdFind and NetScan for network enumeration and likely Mimikatz for credential theft. The group leverages stolen credentials to move laterally using RDP and PowerShell. An ExByte executable is deployed, which is specifically crafted for each victim, to collect and exfiltrate data to MEGA cloud storage service before commencing data encryption.
BlackCat Abuses Search Ads with Malicious WinSCP Downloads
The BlackCat ransomware gang is exploiting search ads to trick users into downloading a malicious version of the WinSCP file transfer application. The victims were lured in through a fraudulent tutorial which led them to a compromised WordPress site. Despite gaining high-level administrative privileges, the attackers were prevented from executing their final payload by Trend Micro's intervention. The group's tactics involved an array of tools including Python scripts, batch scripts, AdFind, Cobalt Strike, PowerShell, PowerView, PsExec, BitsAdmin, and AnyDesk.
Killnet Grows & Hones Their Attack Potency
The infamous Russian-linked Killnet threat group has been growing and evolving its attack tactics since 2022. Initially emerging amidst Russia's invasion of Ukraine, the group has been known for executing significant DDoS attacks against targets in Ukraine and its supporters. A recent report from Mandiant reveals that while there is no direct evidence linking Killnet to Russia, the group's operations consistently mirror Russian strategic objectives. Killnet's capabilities have expanded thanks to affiliates like REvil, Zarya Splinters, and notably Anonymous Sudan. With over 500 victims since the beginning of 2023, the threat group has shown no signs of slowing down, targeting numerous industries, mainly technology, social media, and transportation. Following their recent disruptive attack on Microsoft services, it's expected that Killnet will continue to bolster its attack potency.
Novel Attack Techniques from Threat Actor Targeting Middle East and African Government Orgs
Palo Alto's Cortex team uncovers CL-STA-0043, a suspected nation-state threat actor, deploying innovative espionage techniques against Middle East and African government organizations. With an objective of acquiring sensitive political and military data, this actor exhibits broad capabilities, including zero-day exploits and a variety of penetration tools.
Attacks from 8Base Ransomware Gang Surges
8Base ransomware gang's attacks increased significantly between May and June 2023, targeting various industries. The group uses double extortion tactics and claims to target only companies neglecting data privacy. VMware's analysis suggests that 8Base might be an off-shoot of RansomHouse or a copycat due to significant similarities in their ransom notes and data leak websites.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
Trusted by leading teams at
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
