Anvilogic Forge Threat Research Reports

AvoLocker Ransomware Backtracks

Broward Health Data Breach

Florida-based Broward Health disclosed a data breach that occurred on October 15th, 2021, affecting 1,357,879 individuals. The organization detected the incident four days later and promptly notified the FBI and the US Department of Justice. The breach compromised a range of patient data, including names, birth dates, physical addresses, phone numbers, financial information, social security numbers, emails, and medical information/history.

Aquatic Panda

CrowdStrike's OverWatch team identified Aquatic Panda attempting to exploit the Log4Shell vulnerability on a VMware Horizon instance at an academic institution. The threat actor ran DNS lookups, executed Linux commands on a Windows host, and used PowerShell to download scripts. They also attempted to harvest credentials by dumping LSASS memory. The institution mitigated the attack by patching the vulnerable application.

Caution with Copy Pasting

In a blog post on Wizer, a security training platform, founder Gabriel Friedlander revealed that malicious JavaScripts can hide within a web page's HTML. These scripts use 'event listeners' to replace clipboard data, potentially tampering with commands users copy and paste into command terminals. This poses a significant risk as the modified commands can be executed without the user's awareness, either manually or with a new line.

BlackTech - "Flagpro"

NTT Security has observed the threat actor group BlackTech utilizing new malware named Flagpro to target Japanese companies. The attack begins with spear-phishing emails containing a zip attachment with a malicious Excel document. Upon macro execution, the Flagpro executable is dropped into the startup directory, executing on the next system launch. Flagpro communicates with its C2 server via base64 encoded traffic and can download additional tools, execute OS commands, and collect Windows authentication information. If the compromised host is deemed suitable, the attackers proceed to download the second stage malware.

Conti & Log4Shell from AdvIntel

AdvIntel's latest report highlights the Conti ransomware group's exploitation of the Log4Shell vulnerability. After a lack of viable attack vectors since November, Conti found an opportunity with Log4Shell, initiating scanning activities for the exploit. Conti members targeted specific vulnerable Log4J2 VMware vCenter systems, using these for lateral movement directly from compromised networks. This activity affected US and European victim networks, leveraging pre-existing Cobalt Strike sessions. AdvIntel confirms the ransomware group's renewed activity, posing significant risks to global networks.