Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
MFA Prompt-Bombing
MFA prompt-bombing is a tactic used by threat groups like Lapsus$ and APT29 to bypass older MFA methods. Attackers bombard users with verification requests until they approve access, exploiting push-button verification. This technique was used in the SolarWinds compromise and recent breaches by Lapsus$, including the Microsoft breach. Mandiant explains that attackers issue multiple MFA requests to the end user’s device until they accept, allowing access. While FIDO2 implementation is a step forward, companies must strengthen their security frameworks to mitigate this threat.
Deep Panda & Fire Chili Rootkits
FortiGuard Labs researchers identified Deep Panda, a Chinese APT group, exploiting the Log4Shell vulnerability using a new rootkit called Fire Chili. The attack involves stolen certificates from gaming companies and targets vulnerable VMWare Horizon servers with encoded PowerShell commands to install malicious DLL files.
Spring Vulnerabilities
On March 29th, 2022, critical vulnerabilities in the Spring framework, including Spring4Shell (CVE-2022-22965) affecting Spring Core and an RCE flaw (CVE-2022-22963) in Spring Cloud Function, were identified. Exploits require JDK 9+, Apache Tomcat, and specific deployment conditions. Spring Core versions 5.3.17 and older are impacted.
New Attack Browser-in-the Browser (BITB)
Security researcher mr.d0x has identified a Browser-in-the-Browser (BITB) attack that simulates legitimate authentication windows to execute phishing attacks. The attack uses HTML, CSS, and JavaScript to create indistinguishable fake browser windows, compromising the reliability of checking URLs for phishing prevention.
Microsoft Confirms LAPSUS$ Hack & Analysis
Microsoft confirms a data breach by the Lapsus$ (DEV-0537) data extortion group, compromising project source code for Bing and Cortana. No customer data was affected. Initial access was gained through credential theft from malware like Redline, access brokers, and insider recruitment. The group escalated privileges by targeting internal server vulnerabilities and searching internal repositories. Lapsus$ gathered intelligence by joining crisis calls and observing internal messages. They created global admin accounts in cloud tenants, set mail transport rules, and removed other admin accounts, locking out organizations and exfiltrating data.
BitRAT
BitRAT has been available for purchase on hacking forums since 2020 and continues to be used by attackers today. The malware is disguised as a Windows 10 license verification tool, targeting users who download illegal crack tools. Once installed, BitRAT provides advanced features such as info-stealing, hidden virtual network computing, remote desktop access, coin mining, and proxies.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
