Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Bumblebee Loader Pairs with Quantum Ransomware
Kroll's Cyber Risk tracking of Bumblebee loader has identified its use in Quantum Locker's ransomware campaigns. Bumblebee serves as the initial infection vector, leading to the download of Cobalt Strike and subsequent ransomware deployment within 22 hours. The campaigns typically start with phishing emails or web contact forms, delivering the Bumblebee payload within an ISO file containing a shortcut (LNK) and DLL file. Upon execution, the DLL file downloads Bumblebee, which creates persistence through a scheduled task. Bumblebee includes features such as using Windows Management Instrumentation (WMI) for reconnaissance, executing commands via PowerShell or Wscript, process injection, and C2 communication.
Windows Search Vulnerability Identified
BleepingComputer reports a Windows search vulnerability allowing malicious code execution via Word documents. The 'search-ms' URI protocol handler can query remote file shares, enabling the attacker's application to run if the victim executes the file and accepts the security prompt.
Red Canary's Latest Research Explores Email Auto-Forwarding Rules
Red Canary's research highlights the dangers of email auto-forwarding rules in business email compromises. Adversaries use these rules to exfiltrate data and maintain access to compromised accounts, causing significant financial losses. The FBI's IC3 reports victims' losses exceeding $43 billion from June 2016 to December 2021.
NCC Group’s Recap of Ransomware Activity in April 2022
NCC Group's April 2022 review indicates a rise in ransomware activity compared to March 2022 and 2021. Industrial, consumer cyclical, and technology sectors were most targeted. Notable increases in Cl0p ransomware incidents were observed, while Lockbit 2.0 and Conti remained the most problematic groups.
Mandiant's Tracks Ransomware Group Lockbit
Mandiant's tracking of activity cluster UNC2165 reveals its origins with Evil Corp and its current affiliation with Lockbit ransomware to evade sanctions imposed by the U.S. Treasury Department's OFAC in December 2019. UNC1543's FakeUpdates campaign provides UNC2165 with initial access by luring victims with malicious browser updates, delivering malware such as Dridex. Post-compromise tactics include using Mimikatz, Kerberoasting, native Windows utilities, and open-source tools for reconnaissance, and lateral movement with SSH, RDP, and PsExec. Persistence is maintained through scheduled tasks and user account creation, while system defenses are disabled to facilitate ransomware deployment.
Hive Ransomware Strikes Costa Rica Public Health Agency
On May 31, 2022, a Hive ransomware attack targeted Costa Rica's public health service and the Costa Rican Social Security Fund (CCCS). While services were disrupted, critical health and tax data in the EDUS and SICERE systems were not compromised. This incident follows a Conti ransomware attack on the CCCS on May 9, 2022, leading to a national emergency declaration by President Rodrigo Chaves.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
