We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Lockbit Ransomware Attacked Industrial and Retail Organizations
Cybereason investigated two Lockbit ransomware attacks: one on an industrial organization in late 2021 and another on a retail organization in mid-2022. In both cases, Lockbit operators quickly established persistence, gathered credentials, and exfiltrated data. The retail attack involved a week-long timeline, using tools like Ngrok, Rclone, MegaSync, and Filezilla, and exploiting the SpoolFool vulnerability (CVE-2022-21999) in the industrial attack. Common tactics included using Mimikatz, PsExec for lateral movement, clearing event logs, and disabling security defenses before deploying the ransomware.
Brute Ratel C4 Trending
Palo Alto Unit42's latest research highlights the rise of Brute Ratel C4 (BRc4), a penetration testing tool created by Chetan Nayak in December 2020. Favored over Cobalt Strike by some threat actors, BRc4 is designed to evade detection from endpoint detection and response (EDR) and antivirus (AV) products. The tool communicates with command and control (C2) servers via Amazon Web Services (AWS) IP addresses, impersonating Microsoft. BRc4 uses 'badgers' for command reception, and its deployment mimics advanced persistent threat (APT) tactics, including the use of ISO files, LNK files, and legitimate Microsoft signed binaries. BRc4 is available for $.These industries highlight the key areas impacted by the rise of Brute Ratel C4, emphasizing cybersecurity challenges and the implications for IT and enterprise security solutions.
Tallying the Cyberattacks Against Ukraine
Since the Russia-Ukraine conflict began on February 24th, 2022, SSSCIP has tracked 796 cyberattacks against Ukraine. Government organizations faced the most attacks (179), followed by security and defense (104), finance (55), commercial organizations (54), energy (54), and 350 uncategorized groups. Despite high frequency, attack quality has declined.
PwnKit/CVE-2021-4034 Exploited in the Wild
The PwnKit/CVE-2021-4034 vulnerability, impacting major Linux distributions, has been added to CISA's exploited vulnerabilities catalog. Discovered by Qualys in January 2022, this local privilege escalation flaw allows unprivileged users to gain administrative rights. CISA mandates all organizations, including FCEB agencies, to patch by July 18th to prevent exploitation.
Evilnum APT Targeting United Kingdom and Europe
Zscaler's ThreatLabz has been tracking the Evilnum APT group targeting financial services and international organizations in the UK and Europe since early 2022. The group uses phishing emails with macro-enabled Microsoft Office documents, leveraging advanced obfuscation and VBA code stomping techniques to bypass analysis. Despite their activity, Evilnum's network infrastructure remains undetected by security vendors.
Conti & LockBit Leads Ransomware Comparison
Trend Micro's analysis of ransomware groups from November 2019 to March 2022 compares the most prominent groups, Conti and LockBit. During this period, Conti was associated with 805 identified victims, while LockBit had 666, and Maze had 330. Since August 2020, Conti has consistently led in monthly victim counts, initially maintaining double-digit figures. LockBit's activity surged in July 2021, matching Conti's double-digit victim counts. Geographically, Conti heavily targets North American entities, followed by Europe, accounting for 93% of its victims. LockBit has a more dispersed target profile, with North America and Europe representing 68% of its victims. Both groups evenly target top industry categories, showing no specific industry trend.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
