Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
OilRig's 8-Month Stay Inside a Middle Eastern Government Network
In a comprehensive investigation, Symantec’s Threat Hunter Team has unveiled the details of an 8-month-long cyber-espionage operation conducted by OilRig (also known as APT34 and Crambus), targeting a government entity in the Middle East. From February to September 2023, the Iranian espionage group executed sophisticated attacks, managing to exfiltrate sensitive data, compromise at least 12 computers, and install backdoors and keyloggers on numerous others. One of the key tools in their arsenal was PowerExchange, a PowerShell backdoor used for monitoring emails and executing commands discreetly.
CVE-2023-38545: A SOCKS Issue sets a High Rated curl Vulnerability
The globally utilized curl library has announced a pressing security advisory concerning a heap buffer overflow vulnerability within its SOCKS5 proxy implementation, CVE-2023-38545. Jay Satiro, a prominent name in the curl community, underscores that the crux of the issue is the handling of hostnames longer than 255 bytes in certain conditions. A crafted scenario presented by Daniel Stenberg, the open-source developer and maintainer of curl, illustrates a potential exploit where an HTTPS server could maliciously redirect a client using libcurl via a SOCKS5 proxy with an excessively long hostname.
CVE-2023-44487: New HTTP/2 "Rapid Reset" Sets DDoS Record
In a pivotal coordinated disclosure, giants AWS, Cloudflare, and Google unveiled a groundbreaking DDoS attack stemming from a vulnerability in the HTTP/2 protocol, termed as the "HTTP/2 rapid reset" attack. Recorded in August and September 2023, these attacks shattered prior records of Layer 7 DDoS attacks. The most extensive incident hit Google with 398 million requests per second. At the core of this exploit is the HTTP/2 feature allowing multiplexing of multiple logical connections over one HTTP session.
WS_FTP Server Exploit with a Familiar Attack Chain
Sophos X-Ops on Mastodon has reported that Progress Software's WS_FTP Server software is currently facing active exploitation due to the .NET Deserialization vulnerability, CVE-2023-40044. This high-risk vulnerability, graded 10/10 by the vendor, was addressed with a hotfix in September 2023. Despite the fix, Sophos's analysis reveals attackers employing familiar patterns, leveraging the IIS component and delivering malicious payloads to deploy ransomware. Shockingly, the ransomware in question seems to be derived from the leaked Lockbit 3.0 source code.
"Stayin’ Alive" Campaign Targets Government & Telecom Organizations in Asia Since 2021
Check Point Research has been monitoring an ongoing cyber campaign named "Stayin' Alive", active since at least 2021. Primarily targeting telecommunications and government sectors in Asian countries like Vietnam, Uzbekistan, Kazakhstan, and Pakistan, the campaign employs basic tools with the primary goal of downloading and executing additional payloads. Spear-phishing emails delivering archive files are common initial attack vectors, even exploiting known vulnerabilities.
CISA Updates #StopRansomware Advisory for AvosLocker
The FBI and CISA, in a joint Cybersecurity Advisory, provide an updated deep dive into the operations of the AvosLocker ransomware gang, a Ransomware-as-a-Service entity active as of May 2023. AvoLockers targets multiple critical infrastructure sectors in the U.S., encompassing Windows, Linux, and VMware ESXi systems. They employ a plethora of legitimate software and open-source tools, ranging from remote administration to custom webshells. Known for their double-extortion tactics, AvosLocker uses tools like Cobalt Strike, Lazagne, Mimikatz, FileZilla, and more.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
Trusted by leading teams at
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
