Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Intrusions from Asylum Ambuscade Runs with Mixed Objectives
Cybercrime group Asylum Ambuscade targets financial services and government entities in Central Asia, Europe, and North America. Using phishing emails exploiting the Follina vulnerability (CVE-2022-30190) and malicious Google Ads, the group deploys spyware like AHKBOT. Their objectives include stealing confidential information and webmail credentials, with mixed motives of espionage and financial gain. ESET highlights the group's evolving target profile and tactics.
CVE-2023-34362: Signs of Clop & MOVEit Dates Back to 2021
The MOVEit vulnerability, CVE-2023-34362, has been exploited by the Clop ransomware gang since 2021. Researchers from Kroll and Huntress revealed that Clop meticulously planned for mass exploitation, with significant activity noted in April 2022 and early as July 2021. Recent attacks starting May 27, 2023, targeted numerous organizations for data theft and extortion, leveraging the long US holiday weekend. Clop has notified victims, demanding communication by June 14, 2023.
Bl00dy Ransomware Compromises Indian University
The Bl00dy ransomware gang is actively targeting educational institutions using the PaperCut NG vulnerability CVE-2023-27350. The FBI and CISA issued advisories about this threat on May 12, 2023. Cyble Research and Intelligence Labs (CRIL) reported that Bl00dy has targeted at least six colleges and schools since May 1st. Their latest attack compromised an Indian university, with the group providing screenshots of their administrative access via RDP.
North Korea Refines Social Media Tactics for Targeting of Specific Sectors
A joint advisory from US and South Korean intelligence agencies warns of North Korean threat group Kimsuky targeting education, media, and think tanks. Kimsuky uses refined social media tactics and spearphishing for information collection. By impersonating trusted sources, Kimsuky tricks victims into exposing sensitive information, aiding the regime's cyber espionage efforts.
UAC-0006 Distributes SmokeLoader Backdoor
On May 29, 2023, CERT-UA reported a campaign by UAC-0006 distributing SmokeLoader malware via phishing emails. The emails contain archive attachments (HTML, VHDX, VHD) leading to a JavaScript loader that downloads and installs SmokeLoader. An error led to a Cobalt Strike beacon in one case. The campaign uses Russian domains and repurposed tools, attributed to UAC-0006.
Void Rabisu Shifts Motives for Geopolitical Opportunities
Trend Micro has identified a shift in Void Rabisu's motives, now targeting Ukrainian government, military, energy, and utilities sectors, as well as European and US allies. Since October 2022, Void Rabisu has deployed the RomCom backdoor, refining it for command execution and detection evasion. The group uses Google Ads and phishing to distribute RomCom, posing as legitimate software like AstraChat. The malware's capabilities include data exfiltration, remote access, and cryptocurrency theft.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
