Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Ongoing Peril: WinRAR Vulnerability Persists Despite Patch
The WinRAR vulnerability, CVE-2023-38831, initially spotlighted by Group-IB on August 23rd, 2023, continues to be a substantial cybersecurity concern. Though a patch was promptly released in August 2023, threat actors, including state-backed groups, persist in exploiting this vulnerability, signaling an extensive and ongoing threat vector. Reports indicate that exploitation attempts date back to April 2023, underscoring the persistent nature of this threat.
Exposed Jupyter Notebooks Under Threat of "Qubitstrike" Cryptojacking Campaign
Cado Security’s Matt Muir has spotlighted a threatening cryptojacking campaign named "Qubitstrike", specifically targeting exposed Jupyter Notebooks. This campaign utilizes a variety of malicious tools, including scripts for credential theft, Linux rootkits, and the notorious XMRig coinminer. The threat actors cleverly manipulate the Codeberg platform to stage their scripts, aiming to snatch credential files of widely-used cloud services such as AWS and Google Cloud, and exfiltrate them via the Telegram Bot API.
OilRig's 8-Month Stay Inside a Middle Eastern Government Network
In a comprehensive investigation, Symantec’s Threat Hunter Team has unveiled the details of an 8-month-long cyber-espionage operation conducted by OilRig (also known as APT34 and Crambus), targeting a government entity in the Middle East. From February to September 2023, the Iranian espionage group executed sophisticated attacks, managing to exfiltrate sensitive data, compromise at least 12 computers, and install backdoors and keyloggers on numerous others. One of the key tools in their arsenal was PowerExchange, a PowerShell backdoor used for monitoring emails and executing commands discreetly.
CVE-2023-38545: A SOCKS Issue sets a High Rated curl Vulnerability
The globally utilized curl library has announced a pressing security advisory concerning a heap buffer overflow vulnerability within its SOCKS5 proxy implementation, CVE-2023-38545. Jay Satiro, a prominent name in the curl community, underscores that the crux of the issue is the handling of hostnames longer than 255 bytes in certain conditions. A crafted scenario presented by Daniel Stenberg, the open-source developer and maintainer of curl, illustrates a potential exploit where an HTTPS server could maliciously redirect a client using libcurl via a SOCKS5 proxy with an excessively long hostname.
CVE-2023-44487: New HTTP/2 "Rapid Reset" Sets DDoS Record
In a pivotal coordinated disclosure, giants AWS, Cloudflare, and Google unveiled a groundbreaking DDoS attack stemming from a vulnerability in the HTTP/2 protocol, termed as the "HTTP/2 rapid reset" attack. Recorded in August and September 2023, these attacks shattered prior records of Layer 7 DDoS attacks. The most extensive incident hit Google with 398 million requests per second. At the core of this exploit is the HTTP/2 feature allowing multiplexing of multiple logical connections over one HTTP session.
WS_FTP Server Exploit with a Familiar Attack Chain
Sophos X-Ops on Mastodon has reported that Progress Software's WS_FTP Server software is currently facing active exploitation due to the .NET Deserialization vulnerability, CVE-2023-40044. This high-risk vulnerability, graded 10/10 by the vendor, was addressed with a hotfix in September 2023. Despite the fix, Sophos's analysis reveals attackers employing familiar patterns, leveraging the IIS component and delivering malicious payloads to deploy ransomware. Shockingly, the ransomware in question seems to be derived from the leaked Lockbit 3.0 source code.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
