Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Chinese APTs Targeting Russian Organizations
Research from SentinelLabs and CERT-UA has identified Chinese espionage groups targeting Russian government organizations. The campaign involves distributing malicious documents through phishing emails that deploy a remote access trojan named Bisonal. These documents, created using the Royal Road tool, exploit the Microsoft Equation Editor vulnerability, CVE-2018-0798. With medium confidence, the activity is suspected to be associated with the Tonto Team APT group (also known as 'CactusPete' and 'Earth Akhlut'). However, the increased rate of targeting Russian organizations suggests the involvement of multiple Chinese threat actor groups. On July 6th, 2022, Nikolay Murashov, deputy director of Russia's National Coordination Center for Computer Incidents, reported an average of over 200 cyberattacks daily against Russian government agencies.
Lockbit Ransomware Attacked Industrial and Retail Organizations
Cybereason investigated two Lockbit ransomware attacks: one on an industrial organization in late 2021 and another on a retail organization in mid-2022. In both cases, Lockbit operators quickly established persistence, gathered credentials, and exfiltrated data. The retail attack involved a week-long timeline, using tools like Ngrok, Rclone, MegaSync, and Filezilla, and exploiting the SpoolFool vulnerability (CVE-2022-21999) in the industrial attack. Common tactics included using Mimikatz, PsExec for lateral movement, clearing event logs, and disabling security defenses before deploying the ransomware.
Brute Ratel C4 Trending
Palo Alto Unit42's latest research highlights the rise of Brute Ratel C4 (BRc4), a penetration testing tool created by Chetan Nayak in December 2020. Favored over Cobalt Strike by some threat actors, BRc4 is designed to evade detection from endpoint detection and response (EDR) and antivirus (AV) products. The tool communicates with command and control (C2) servers via Amazon Web Services (AWS) IP addresses, impersonating Microsoft. BRc4 uses 'badgers' for command reception, and its deployment mimics advanced persistent threat (APT) tactics, including the use of ISO files, LNK files, and legitimate Microsoft signed binaries. BRc4 is available for $.These industries highlight the key areas impacted by the rise of Brute Ratel C4, emphasizing cybersecurity challenges and the implications for IT and enterprise security solutions.
Tallying the Cyberattacks Against Ukraine
Since the Russia-Ukraine conflict began on February 24th, 2022, SSSCIP has tracked 796 cyberattacks against Ukraine. Government organizations faced the most attacks (179), followed by security and defense (104), finance (55), commercial organizations (54), energy (54), and 350 uncategorized groups. Despite high frequency, attack quality has declined.
PwnKit/CVE-2021-4034 Exploited in the Wild
The PwnKit/CVE-2021-4034 vulnerability, impacting major Linux distributions, has been added to CISA's exploited vulnerabilities catalog. Discovered by Qualys in January 2022, this local privilege escalation flaw allows unprivileged users to gain administrative rights. CISA mandates all organizations, including FCEB agencies, to patch by July 18th to prevent exploitation.
Evilnum APT Targeting United Kingdom and Europe
Zscaler's ThreatLabz has been tracking the Evilnum APT group targeting financial services and international organizations in the UK and Europe since early 2022. The group uses phishing emails with macro-enabled Microsoft Office documents, leveraging advanced obfuscation and VBA code stomping techniques to bypass analysis. Despite their activity, Evilnum's network infrastructure remains undetected by security vendors.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
