We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Researchers Found Infection Chain in USB Devices and Shared Folders
Cybereason's research uncovers the Raspberry Robin worm's infection chain via USB devices and shared folders. The malware uses LNK files to call msiexec.exe, downloading a malicious DLL. It injects into rundll32.exe, regsvr32.exe, and dllhost.exe, and maintains persistence through the registry run key.
Hacker Alleges to Steal Data from Chinese Citizens
An anonymous hacker, "ChinaDan," claims to have stolen data from the Shanghai National Police database, affecting 1 billion Chinese citizens. The data includes personal details and criminal records, allegedly exfiltrated from Alibaba Cloud due to an open ElasticSearch database and a tech blog exposing credentials. Binance CEO Zhao Changpeng and Wall Street Journal reporter Karen Hao have investigated and verified the breach's authenticity.
Chinese APTs Targeting Russian Organizations
Research from SentinelLabs and CERT-UA has identified Chinese espionage groups targeting Russian government organizations. The campaign involves distributing malicious documents through phishing emails that deploy a remote access trojan named Bisonal. These documents, created using the Royal Road tool, exploit the Microsoft Equation Editor vulnerability, CVE-2018-0798. With medium confidence, the activity is suspected to be associated with the Tonto Team APT group (also known as 'CactusPete' and 'Earth Akhlut'). However, the increased rate of targeting Russian organizations suggests the involvement of multiple Chinese threat actor groups. On July 6th, 2022, Nikolay Murashov, deputy director of Russia's National Coordination Center for Computer Incidents, reported an average of over 200 cyberattacks daily against Russian government agencies.
Lockbit Ransomware Attacked Industrial and Retail Organizations
Cybereason investigated two Lockbit ransomware attacks: one on an industrial organization in late 2021 and another on a retail organization in mid-2022. In both cases, Lockbit operators quickly established persistence, gathered credentials, and exfiltrated data. The retail attack involved a week-long timeline, using tools like Ngrok, Rclone, MegaSync, and Filezilla, and exploiting the SpoolFool vulnerability (CVE-2022-21999) in the industrial attack. Common tactics included using Mimikatz, PsExec for lateral movement, clearing event logs, and disabling security defenses before deploying the ransomware.
Brute Ratel C4 Trending
Palo Alto Unit42's latest research highlights the rise of Brute Ratel C4 (BRc4), a penetration testing tool created by Chetan Nayak in December 2020. Favored over Cobalt Strike by some threat actors, BRc4 is designed to evade detection from endpoint detection and response (EDR) and antivirus (AV) products. The tool communicates with command and control (C2) servers via Amazon Web Services (AWS) IP addresses, impersonating Microsoft. BRc4 uses 'badgers' for command reception, and its deployment mimics advanced persistent threat (APT) tactics, including the use of ISO files, LNK files, and legitimate Microsoft signed binaries. BRc4 is available for $.These industries highlight the key areas impacted by the rise of Brute Ratel C4, emphasizing cybersecurity challenges and the implications for IT and enterprise security solutions.
Tallying the Cyberattacks Against Ukraine
Since the Russia-Ukraine conflict began on February 24th, 2022, SSSCIP has tracked 796 cyberattacks against Ukraine. Government organizations faced the most attacks (179), followed by security and defense (104), finance (55), commercial organizations (54), energy (54), and 350 uncategorized groups. Despite high frequency, attack quality has declined.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
