Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Precedence Group's Overly-Permissive SPF DNS Record
Managed service provider Precedence Group used an overly-permissive SPF DNS record, exposing 190 Australian organizations to email spoofing. The vulnerability, present since March 2019, allowed any AWS user to send authenticated emails as these organizations. The issue was fixed on November 29, 2021. CEO of CanIPhish, Sebastian Salla, highlighted the risk.
Nobelium Groups UNC3004 and UNC2652 from Mandiant
Mandiant tracks Nobelium clusters UNC3004 and UNC2652, targeting technology firms with tactics including CEELOADER, Azure permissions abuse, and MFA push notification exploitation. The groups use compromised credentials and info-stealer malware for data collection and exfiltration, focusing on Russian interests.
CVE-2021-34535 Remote Code Execution Vulnerability
Malcolm Stagg, a Synack Red Team (SRT) member, discovered CVE-2021-34535, a remote code execution vulnerability in the Windows Remote Desktop client. This vulnerability arises from an integer overflow in the TSMF media decoder, leading to a heap buffer overflow. By specifying a buffer size just below the upper limit, an integer overflow occurs, causing a small buffer to be allocated while a large amount of attacker-controlled data is copied into it. This results in a heap buffer overflow, overwriting structures throughout the program’s memory space with attacker-controlled data. Although the vulnerability was patched by Microsoft in August 2021, the proof-of-concept exploit assumes the attacker can bypass address space layout randomization (ASLR).
Cuba Ransomware
The FBI released a flash report on Cuba ransomware, which has compromised 49 entities across various critical infrastructure sectors since November 2021. Affected sectors include financial, government, healthcare, manufacturing, and information technology. The initial infection vector is identified as Hancitor malware, with threat actors using phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain access. The attackers leverage legitimate Windows services like PowerShell and PsExec, and exploit Windows Admin privileges to execute their ransomware.
Emotet and App Installer
On November 11, 2021, Sophos reported that Emotet malware is using Windows App Installer packages, similar to BazarLoader's tactics. The attack starts with a phishing email linking to a fake Google Drive page, downloading a DLL file disguised as an Adobe PDF component, which executes via rundll32 and creates an autorun entry.
BlackByte Ransomware from RedCanary
RedCanary, in collaboration with Kroll, presents research from a BlackByte ransomware incident response engagement. The attack sequence began with initial access through the ProxyShell vulnerability and web shell deployment. Post-exploitation activities included the use of Cobalt Strike, impairing defenses by modifying process monitoring, Windows Defender, and firewall settings, culminating in ransomware deployment and file exfiltration.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
