Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Intricate MSSQL Attack Sequence Revealed
Huntress researchers unveiled a complex MSSQL server attack initiated through the xp_cmdshell stored procedure, leading to the stealthy transfer of data and the installation of remote access tools within minutes. This operation detailed the creation of a new user account, adjustments to registry settings for credential harvesting, and the setup of AnyDesk for persistent access. The sequence of these actions showcases the attackers' precision and the critical need for monitoring similar patterns to enhance early intrusion detection strategies.
Lessons from a 30-Day ALPHV/Blackcat Ransomware Intrusion
Sygnia's investigation into a 30-day ALPHV/Blackcat ransomware attack uncovers the attackers' exploitation of a trusted third-party and their strategic patience. The attack navigated both on-premises and Azure environments, utilizing methods like privilege escalation, Cobalt Strike, and data exfiltration tactics. The incident underscores the importance of data-driven actions, network isolation, and understanding the scope of stolen data for handling extortion demands effectively. This case highlights the evolving threat landscape and the necessity for preparedness in cybersecurity defense strategies.
Rapid Exploitation and A Coordinated Intrusion from Cactus Ransomware
Bitdefender's report on a Cactus ransomware attack shows rapid exploitation of a newly disclosed vulnerability, leading to a coordinated assault on two companies. It underscores the importance of quick vulnerability management and details the attackers' strategic steps, from credential theft to final encryption, showcasing the evolving threat landscape and the criticality of readiness against such opportunistic attacks.
FBI Reports $12.5 Billion Lost to Fraud in 2023 as Cybercrime Reaches New Heights
The FBI's 2023 Internet Crime Report highlights a sharp increase in cybercrime, with $12.5 billion in losses reported by Americans, marking a 22% increase from the previous year. Investment fraud, especially in cryptocurrency, and phishing were the most prominent, with investment fraud losses soaring to $4.57 billion. The demographic most affected spans from individuals aged 30 to 49. Phishing complaints dominated cybercrime categories, significantly surpassing other types like personal data breaches and extortion. Business Email Compromise (BEC) scams and ransomware attacks were notably costly, with BEC scams alone causing $2.9 billion in losses.
Trend Micro’s Investigation Reveals Earth Kapre’s Evasive Cyber Espionage Techniques
Trend Micro's investigation into Earth Kapre, also known as RedCurl and Red Wolf, uncovers a cyber espionage campaign targeting various countries. Utilizing phishing emails with malicious .iso and .img attachments, the group leverages native Windows tools and complex obfuscation techniques for data theft and maintaining presence within compromised systems. Notable tactics include PowerShell for initiating attacks, the use of "curl.exe" for malicious downloads, and exploiting the Program Compatibility Assistant for indirect command execution. Detection engineers are advised to monitor for specific indicators of Earth Kapre's activity, such as unusual PowerShell and "rundll32" usage, to mitigate these sophisticated threats.
Recommendations for Countering Against Phobos Ransomware
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and MS-ISAC have released recommendations to combat Phobos ransomware, targeting critical sectors since May 2019. Phobos, a ransomware-as-a-service (RaaS) operation, exploits vulnerabilities in Remote Desktop Protocol (RDP) services and conducts sophisticated phishing campaigns. It employs tools like Smokeloader, Cobalt Strike, and Bloodhound for attacks. Recommendations include monitoring for initial access attempts, especially via phishing and vulnerable RDP ports, and detecting known executables associated with Phobos to mitigate threats.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
