Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Nickelodeon Admits a Data Breach
Nickelodeon, an American television channel owned by Paramount Media Networks, has admitted to a data breach that resulted in approximately 500GB of compromised document and media files from its animation department. Despite reports of the data leak, Nickelodeon claims the breached data is "decades old." Investigations into the incident are ongoing, and the company has assured the public that the files do not appear to be from a recent system breach. The breach emphasizes the importance of stringent data security measures in the entertainment and media industry.
Major Japanese Port Resume Operations
The Port of Nagoya, one of the largest ports in Japan, has resumed operations after a significant ransomware attack on July 4th, 2023. The attack, linked to the LockBit 3.0 ransomware gang, resulted in major disruptions in cargo handling due to system failures. Despite the delays in restoring operations due to the need for extensive backup data inspections, the port managed to recover without paying a ransom. The incident underscores the vulnerability of vital trading infrastructure to cyber threats.
An Escalated Campaign with Manic Menagerie 2.0
The 'Manic Menagerie 2.0' threat campaign, an evolution of the original Manic Menagerie, aims to compromise web resources and deploy coin miners for financial gain. It targets web hosting and IT providers mainly in the United States and European Union. The threat actors exploit various vulnerabilities in web applications and IIS servers, deploying web shells to establish a foothold. During the second wave of attacks in 2022, they focused on deploying web shells at scale using a custom tool, strengthening their foothold and hiding web shells in nested folders. The threat actors also escalate privileges, add persistence mechanisms, and use various tools, such as RunasCs, PCHunter, and others, for these operations.
Microsoft Studies BlackBytes' Operations
Microsoft's Incident Response team has studied the operations of BlackByte 2.0, revealing a systematic five-day intrusion process. The attacks start with the exploitation of ProxyShell vulnerabilities, followed by remote command execution and system persistence establishment. BlackByte then uses tools like AdFind and NetScan for network enumeration and likely Mimikatz for credential theft. The group leverages stolen credentials to move laterally using RDP and PowerShell. An ExByte executable is deployed, which is specifically crafted for each victim, to collect and exfiltrate data to MEGA cloud storage service before commencing data encryption.
BlackCat Abuses Search Ads with Malicious WinSCP Downloads
The BlackCat ransomware gang is exploiting search ads to trick users into downloading a malicious version of the WinSCP file transfer application. The victims were lured in through a fraudulent tutorial which led them to a compromised WordPress site. Despite gaining high-level administrative privileges, the attackers were prevented from executing their final payload by Trend Micro's intervention. The group's tactics involved an array of tools including Python scripts, batch scripts, AdFind, Cobalt Strike, PowerShell, PowerView, PsExec, BitsAdmin, and AnyDesk.
Killnet Grows & Hones Their Attack Potency
The infamous Russian-linked Killnet threat group has been growing and evolving its attack tactics since 2022. Initially emerging amidst Russia's invasion of Ukraine, the group has been known for executing significant DDoS attacks against targets in Ukraine and its supporters. A recent report from Mandiant reveals that while there is no direct evidence linking Killnet to Russia, the group's operations consistently mirror Russian strategic objectives. Killnet's capabilities have expanded thanks to affiliates like REvil, Zarya Splinters, and notably Anonymous Sudan. With over 500 victims since the beginning of 2023, the threat group has shown no signs of slowing down, targeting numerous industries, mainly technology, social media, and transportation. Following their recent disruptive attack on Microsoft services, it's expected that Killnet will continue to bolster its attack potency.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
