We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
PwnKit/CVE-2021-4034 Exploited in the Wild
The PwnKit/CVE-2021-4034 vulnerability, impacting major Linux distributions, has been added to CISA's exploited vulnerabilities catalog. Discovered by Qualys in January 2022, this local privilege escalation flaw allows unprivileged users to gain administrative rights. CISA mandates all organizations, including FCEB agencies, to patch by July 18th to prevent exploitation.
Evilnum APT Targeting United Kingdom and Europe
Zscaler's ThreatLabz has been tracking the Evilnum APT group targeting financial services and international organizations in the UK and Europe since early 2022. The group uses phishing emails with macro-enabled Microsoft Office documents, leveraging advanced obfuscation and VBA code stomping techniques to bypass analysis. Despite their activity, Evilnum's network infrastructure remains undetected by security vendors.
Conti & LockBit Leads Ransomware Comparison
Trend Micro's analysis of ransomware groups from November 2019 to March 2022 compares the most prominent groups, Conti and LockBit. During this period, Conti was associated with 805 identified victims, while LockBit had 666, and Maze had 330. Since August 2020, Conti has consistently led in monthly victim counts, initially maintaining double-digit figures. LockBit's activity surged in July 2021, matching Conti's double-digit victim counts. Geographically, Conti heavily targets North American entities, followed by Europe, accounting for 93% of its victims. LockBit has a more dispersed target profile, with North America and Europe representing 68% of its victims. Both groups evenly target top industry categories, showing no specific industry trend.
Fraudulent Copyright Themed Emails From LockBit Ransomware Identified
ASEC analysis reveals that LockBit ransomware is being distributed through fraudulent emails warning of copyright infringement. The phishing emails contain a compressed file with an NSIS script file disguised as a PDF. Upon execution, the ransomware establishes persistence by modifying the run key, deleting shadow copies, and terminating services, then encrypts removable, fixed, and RAM disk drives.
Chinese-Speaking Threat Actors Target ICS
Kaspersky ICS CERT researchers have identified a threat campaign beginning as early as March 2021, targeting the logistics, transportation, telecommunication, and industrial sectors in Malaysia, Pakistan, and Afghanistan. Discovered in mid-October 2021, the campaign involved the ShadowPad backdoor affecting industrial control systems, specifically engineering computers in building automation systems of a telecom company in Pakistan. Attackers gained initial access by exploiting the Microsoft Exchange vulnerability CVE-2021-26855 (ProxyLogon). Their techniques included deploying Cobalt Strike, using certutil to download files, web shells, procdump, mimikatz, and BAT scripts for credential access and data collection. Persistence was achieved by scripting data collection and scheduling it to run daily. The activity is attributed to a Chinese-speaking group potentially linked to HAFNIUM.
Hacktivist Group Attack Three Iranian Steel Companies
On June 27, 2022, the hacktivist group "Gonjeshke Darande" attacked three Iranian steel companies, deploying wiper malware and causing significant damage. Operations at Khuzestan Steel, one of Iran’s largest steel companies, were suspended. The group, also known for a 2021 attack on Iran's railway system, has been tracked by SentinelOne under various aliases.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
