Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Lapsus$ Breached T-Mobile
Independent researcher Brian Krebs reveals that the data extortion group Lapsus$ breached T-Mobile in March 2022, stealing source code for various company projects. T-Mobile confirms the breach but states that no customer or government data was compromised. Lapsus$ used compromised systems and credentials from the Russian Market and insider access to conduct the attack. Although the hackers faced some resistance from T-Mobile employees, they managed to access the customer management tool Atlas but were thwarted in their attempts to access FBI and Department of Defense accounts.
FBI Warns of Ransomware Threat to Food and Agriculture Organizations
The FBI's latest alert warns that ransomware actors are likely to target agricultural cooperatives during planting and harvest seasons. Recent attacks against grain cooperatives and agricultural companies aim to disrupt operations, cause financial losses, and impact the supply chain. Initial attack vectors exploit common vulnerabilities, posing severe risks to the food and agriculture sectors.
Catching Up With Emotet
Fortinet has reviewed recent Emotet campaigns, noting a variety of attack techniques involving malicious documents. Since reemerging in November 2021, Emotet has been highly active, though activity tapered slightly after Microsoft disabled Excel 4.0 macros by default in January 2022. Analysis of five malicious document samples revealed the use of Excel or Word documents containing malicious VBA macros or Excel 4.0 macros to deliver Emotet. Execution typically involves wscript, PowerShell, or Mshta to download the Emotet payload, which is then executed with rundll32 or regsvr32.
Hive Ransomware Attack Analysis
The Varonis Forensics Team investigated a Hive ransomware attack, which executed in under 72 hours. Exploiting the Exchange Proxyshell vulnerability, attackers used PowerShell invoke-expression commands to download Cobalt Strike payloads, achieved persistence by creating new user accounts and dumping credentials with Mimikatz. They moved laterally using mstsc.exe, conducted network discovery with SoftPerfect, and saved data to a text file. In the final attack stages, the ransomware disabled volume shadow copies, stopped services, and cleaned Windows Security logs. Hive ransomware, first observed in June 2021, targets sectors like healthcare, nonprofits, and energy providers.
Okta Completes Investigation of January 2022 Breach
Okta's investigation into the January 2022 data breach reveals a smaller scope than initially anticipated. Only two customer tenants were accessed for 25 minutes, with no configuration changes or password resets. The breach stemmed from a compromised Sitel support engineer's workstation. Okta has since terminated its relationship with Sitel.
North Korean APT Groups Target Blockchain and Cryptocurrency Companies
CISA, FBI, and Treasury warn of North Korean APT groups targeting blockchain and cryptocurrency firms. Groups like Lazarus and APT38 use social engineering and trojanized apps in "TradeTraitor" campaigns to infiltrate systems, steal credentials, and execute fraudulent transactions.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
