We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
APT Group Targets Industrial Base with Impacket
CISA alerts on an APT attack against the defense industrial base, using Impacket tools and compromised credentials. The attackers targeted Exchange servers and deployed CovalentStealer for data exfiltration. The incident spanned from November 2021 to January 2022, with system reconnaissance and unauthorized access via OWA and EWS.
Leveraging Exchange Telemetry in O365 Mailbox Attack
Red Canary reports a payroll diversion fraud campaign targeting O365 mailboxes. Attackers compromise accounts, create forwarding rules, and send fictitious direct deposit requests. The attack sequence occurs within 12 minutes, highlighting the importance of leveraging detection analytics focused on O365 logins and mailbox tampering.
The Newly Rebranded Emperor Dragonfly Strikes
Sygnia researchers discover Emperor Dragonfly, a new threat group formed from Cheerscrypt and Night Sky. The group exploits Log4Shell (CVE-2021-4428), uses Cobalt Strike and Go-based tools, and deploys ransomware. Evidence suggests potential Chinese allegiances, though the group’s full affiliations remain unclear.
Meta Removes Influence Networks Operated by China & Russia
Meta has removed influence operations from China and Russia on Facebook and Instagram for violating policies on Coordinated Inauthentic Behavior (CIB). These networks targeted political themes and international policies, impersonating news outlets and playing various sides of political groups. The operations antagonized Ukraine and targeted multiple countries.
Lazarus Masquerades as Crypto[.]com in Updated Job Offer Campaign
SentinelOne reports that Lazarus Group, a North Korean threat actor, targets cryptocurrency users with fake job offers from Crypto[.]com. The campaign, part of "Operation In(ter)ception," employs macOS and Windows malware to steal digital assets. Users are advised to be wary of unsolicited job offers.
Russia May Plan Attack Against Energy and Critical Infrastructure in Next Wave
Ukraine's Ministry of Defence warns of imminent Russian cyber attacks on the energy sector and critical infrastructure in Ukraine and allied nations. The attacks aim to halt Ukraine's advance, referencing past incidents involving Industroyer malware and anticipating increased DDoS attacks.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
