We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Mandiant's Tracks Ransomware Group Lockbit
Mandiant's tracking of activity cluster UNC2165 reveals its origins with Evil Corp and its current affiliation with Lockbit ransomware to evade sanctions imposed by the U.S. Treasury Department's OFAC in December 2019. UNC1543's FakeUpdates campaign provides UNC2165 with initial access by luring victims with malicious browser updates, delivering malware such as Dridex. Post-compromise tactics include using Mimikatz, Kerberoasting, native Windows utilities, and open-source tools for reconnaissance, and lateral movement with SSH, RDP, and PsExec. Persistence is maintained through scheduled tasks and user account creation, while system defenses are disabled to facilitate ransomware deployment.
Hive Ransomware Strikes Costa Rica Public Health Agency
On May 31, 2022, a Hive ransomware attack targeted Costa Rica's public health service and the Costa Rican Social Security Fund (CCCS). While services were disrupted, critical health and tax data in the EDUS and SICERE systems were not compromised. This incident follows a Conti ransomware attack on the CCCS on May 9, 2022, leading to a national emergency declaration by President Rodrigo Chaves.
CISA Warns of Data Extortion Group Karakurt
The Cybersecurity & Infrastructure Security Agency (CISA) has issued an advisory on the data extortion group Karakurt. Unlike traditional ransomware, Karakurt focuses on data exfiltration and extortion without encrypting victim data. They pressure victims by contacting employees, business partners, and clients to meet ransom demands. If paid, Karakurt provides proof of data deletion and an explanation of the intrusion method. However, some victims report that Karakurt did not maintain confidentiality after ransom payments. The group uses Cobalt Strike and Mimikatz for network enumeration and credential access, exfiltrating data via FTP, Rclone, or MEGA. U.S. federal agencies strongly discourage paying ransoms to Karakurt.
Chinese Hackers Exploit Microsoft Office Latest Zero-Day CVE-2022-30190
Proofpoint has identified Chinese state-linked threat group TA413 actively exploiting Microsoft Office's latest zero-day vulnerability, CVE-2022-30190, also known as 'Follina.' The attack targets the international Tibetan community and is delivered in a compressed zip archive. According to Proofpoint, 'TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.
Cryptojacking Group WatchDog Attack Cabo Labs
Researchers at Cado Labs have observed a cryptojacking attack by the WatchDog group through the company's honeypot. The attack exploits a publicly misconfigured Docker API over port 2375, which allowed unauthenticated access to the Docker daemon. After establishing a foothold, the attacker created an Alpine Linux Docker container and set up persistence with a cron job. A shell script was executed to check the system's infection status, download a second-stage payload, and ensure root permissions. The second-stage script manipulated the system's timestamp and disabled services like the Alibaba Cloud Agent. The XMRig miner payload was then deployed, with a system service created for persistence. A third-stage payload conducted network scanning to identify additional hosts for pivoting, dropping two final scripts to propagate the attack further into the victim’s network.
Analysis of Attack Ransomware Timelines
IBM X-Force's analysis of ransomware attack timelines shows a 94.34% reduction from 2019 to 2021, with attack duration dropping from months to just days due to advanced tactics and tools.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
