We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Cyberattacks and Covid Maintain Challenges for Aviation and Travel Industry
Cyble reports that cyber threats continue to target the aviation and travel industries, exacerbated by Covid. Threat actors exploit poor cybersecurity practices, legacy systems, and insider threats, often stealing payment card information and loyalty rewards. Ransomware incidents by Quantum, RansomEXX, AlphaVM, and LockBit were notable in 2022.
0ktapus, An Okta Themed Phishing Campaign
Group-IB reveals the 0ktapus phishing campaign, impersonating Okta and targeting 130 organizations, resulting in 9,931 compromised accounts. The campaign, which began in March 2022, used 169 unique domains to obtain Okta credentials and 2FA codes from users across various industries.
MuddyWater APT Exploits Log4j
Microsoft reports the Iranian APT group MuddyWater exploiting the Log4Shell vulnerability (CVE-2021-44228) against Israeli organizations and targeting telecommunication sectors in the Middle East and Asia. The group exploits unpatched SysAid Server instances, uses tools like Mimikatz for credential theft, and establishes persistence via autorun registry keys.
Threat Actor Abuses Video Game, Genshin Impact Anti-Cheat Driver
Trend Micro identifies ransomware actors abusing Genshin Impact's anti-cheat driver, mhyprot2.sys, to gain kernel-level privileges and terminate endpoint protection services. The exploitation, observed in July 2022, led to the deployment of ransomware after lateral movement and execution of malicious scripts.
Infectious Spearphishing Emails Linked with Kimsuky's GoldDragon Cluster
Kaspersky identifies Kimsuky's GoldDragon cluster using spearphishing emails targeting politicians. The emails contain malicious Word documents that execute VBS scripts to gather host information and download additional malware. GoldDragon uses complex multi-stage C2 servers to aid their campaigns.
Analyzing Black Basta Ransomware TTPs
Unit42's research on Black Basta ransomware reveals its rapid impact, compromising over 75 entities since early 2022. The group uses Qakbot/Qbot for initial access, followed by Cobalt Strike deployment. Industries affected include agriculture, energy, and government across the US, UK, Australia, Canada, and New Zealand.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
