We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Vice Society A Threat Group of Opportunity
Palo Alto Unit42 profiles Vice Society, a ransomware group targeting various industries, notably education and healthcare, since 2021. Known for exploiting the PrintNightmare vulnerability and using HelloKitty and Zeppelin ransomware, Vice Society times attacks with the school year calendar. California, Texas, and Pennsylvania are among the most affected states.
Iranian Threat Actor Launches New 'Fantasy' Data Wiper
ESET reveals that Iranian threat group Agrius has deployed a new data wiper named 'Fantasy' in supply-chain attacks targeting organizations in Hong Kong, Israel, and South Africa. The 'Fantasy' wiper overwrites files and the master record, but recovery has been possible for some victims, with damages reversed within hours.
Activities from a Truebot Infections
Cisco Talos reports a rise in Truebot malware infections since August 2022. Distributed via phishing, botnets, USB infections, and Raspberry Robin, Truebot acts as a downloader for data exfiltration tools like Teleport and deploys Clop ransomware. Truebot infections link to Silence Group and TA505, with post-compromise activities including data theft.
DEV-0139 Tailors Attack Against Cryptocurrency Organizations
Microsoft reports DEV-0139 targeting cryptocurrency organizations via Telegram, using weaponized Office documents to deliver malicious payloads. Posing as legitimate representatives, they gain trust before launching attacks. Techniques include DLL sideloading and backdoor deployment, similar to Lazarus group's AppleJesus malware.
Cloud Attacks in AWS and GCP from Compromised Credentials
Palo Alto Unit 42 reports compromised credentials causing security breaches in AWS and GCP. Threat actors launch phishing and cryptomining attacks, quickly exploiting cloud environments. Key actions include enumerating environments, tampering with IAM configurations, and deploying new cloud instances, underscoring the importance of robust cloud security and monitoring.
High Demand for Signal App Exploits
Russian company OpZero offers $1.5 million for Signal app RCE exploits, tripling Zerodium's offer. The company's high offer and connections to Russian private and government organizations raise concerns about espionage efforts, particularly targeting Ukraine. OpZero's recent online presence adds to the intrigue.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
