We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Windows Search Vulnerability Identified
BleepingComputer reports a Windows search vulnerability allowing malicious code execution via Word documents. The 'search-ms' URI protocol handler can query remote file shares, enabling the attacker's application to run if the victim executes the file and accepts the security prompt.
Red Canary's Latest Research Explores Email Auto-Forwarding Rules
Red Canary's research highlights the dangers of email auto-forwarding rules in business email compromises. Adversaries use these rules to exfiltrate data and maintain access to compromised accounts, causing significant financial losses. The FBI's IC3 reports victims' losses exceeding $43 billion from June 2016 to December 2021.
NCC Group’s Recap of Ransomware Activity in April 2022
NCC Group's April 2022 review indicates a rise in ransomware activity compared to March 2022 and 2021. Industrial, consumer cyclical, and technology sectors were most targeted. Notable increases in Cl0p ransomware incidents were observed, while Lockbit 2.0 and Conti remained the most problematic groups.
Mandiant's Tracks Ransomware Group Lockbit
Mandiant's tracking of activity cluster UNC2165 reveals its origins with Evil Corp and its current affiliation with Lockbit ransomware to evade sanctions imposed by the U.S. Treasury Department's OFAC in December 2019. UNC1543's FakeUpdates campaign provides UNC2165 with initial access by luring victims with malicious browser updates, delivering malware such as Dridex. Post-compromise tactics include using Mimikatz, Kerberoasting, native Windows utilities, and open-source tools for reconnaissance, and lateral movement with SSH, RDP, and PsExec. Persistence is maintained through scheduled tasks and user account creation, while system defenses are disabled to facilitate ransomware deployment.
Hive Ransomware Strikes Costa Rica Public Health Agency
On May 31, 2022, a Hive ransomware attack targeted Costa Rica's public health service and the Costa Rican Social Security Fund (CCCS). While services were disrupted, critical health and tax data in the EDUS and SICERE systems were not compromised. This incident follows a Conti ransomware attack on the CCCS on May 9, 2022, leading to a national emergency declaration by President Rodrigo Chaves.
CISA Warns of Data Extortion Group Karakurt
The Cybersecurity & Infrastructure Security Agency (CISA) has issued an advisory on the data extortion group Karakurt. Unlike traditional ransomware, Karakurt focuses on data exfiltration and extortion without encrypting victim data. They pressure victims by contacting employees, business partners, and clients to meet ransom demands. If paid, Karakurt provides proof of data deletion and an explanation of the intrusion method. However, some victims report that Karakurt did not maintain confidentiality after ransom payments. The group uses Cobalt Strike and Mimikatz for network enumeration and credential access, exfiltrating data via FTP, Rclone, or MEGA. U.S. federal agencies strongly discourage paying ransoms to Karakurt.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
