We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Hackers Compromise Slack's GitHub Repository
Slack's GitHub repository was compromised on December 27, 2022, via stolen employee tokens. Hackers accessed and downloaded private code repositories, but no customer data or primary codebase were affected. Slack is investigating the potential impact and has rotated affected credentials as a precaution.
Linux Malware Downloader Uses Shell Script Compiler for Cryptomining & DDoS
ASEC researchers uncover a Linux malware downloader using Shell Script Compiler (SHC) to convert bash scripts into ELF executables, evading detection with RC4 encoding. The malware targets SSH servers through brute force attacks, deploying XMRig CoinMiner, DDoS IRC bots, and SSH Scanners, primarily impacting systems in Korea.
Raspberry Robin Circling Entities in Europe
Security Joes identifies Raspberry Robin malware targeting financial and insurance sectors in Europe, particularly Spanish and Portuguese-speaking organizations. The malware uses USB drives and phishing emails for initial infection, employing obfuscation and system binaries like msiexec and rundll32 to evade detection and maintain persistence.
Bluebottle Threat Actors Strikes Banks in French-speaking Countries
Symantec reports Bluebottle targeting banks in French-speaking African countries, employing TTPs similar to OPERA1ER. Using tools like Cobalt Strike and GuLoader, and disabling security products with signed Windows drivers, Bluebottle has impacted three financial institutions from May to September 2022, persisting on networks for extended periods.
Rackspace Confirms Data Impact from Play Ransomware Attack
Rackspace's investigation confirms Play ransomware gang exploited OWASSRF vulnerability, targeting CVE-2022-41080 and CVE-2022-41082, accessing email data of 27 Hosted Exchange customers. Rackspace assures no misuse of data and continues data recovery efforts while migrating affected customers to Microsoft 365.
Vice Society Launches Custom 'PolyVice' Encryptor
Vice Society deploys its custom 'PolyVice' encryptor in ransomware attacks, identified by SentinelOne. Using advanced encryption algorithms and multi-threading for speed, 'PolyVice' appends ".ViceSociety" to encrypted files and drops a ransom note. The group, targeting all sectors, focuses on under-resourced industries such as education and healthcare.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
