We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Phishing with Chatbots
Phishing scams are now using chatbots to improve authenticity and steal credentials. Trustwave and BleepingComputer observed DHL-themed phishing emails that lead to webchats, deceiving victims into providing personal and payment information, including one-time passcodes, under the guise of re-processing undelivered packages due to damaged labels.
iPhone Chip Low-Power Mode (LPM) Security Issue
Researchers at Germany's Technical University of Darmstadt have discovered a security issue in Apple's iPhone chips related to Low-Power Mode (LPM). The Bluetooth chip, which remains active for up to 24 hours after the device is powered off, lacks mechanisms for digitally signing or encrypting firmware. This vulnerability, which persists due to hardware limitations, could allow attackers to exploit the device and launch malicious firmware. The risk is not easily solvable with system updates and has a long-lasting effect on iOS security. Apple has not yet responded to the findings.
Conti & Its Subsidiary Group Blackbyte
AdvIntel's extensive research on the Conti ransomware group delves into its subsidiary group Blackbyte, which, along with the data extortion group Karakurt, supports Conti's operations. The relationship between Conti and Blackbyte was investigated following the San Francisco 49ers data breach on February 13th, 2022. Security news outlets initially pointed to Blackbyte as the attacker, but AdvIntel identified Conti as the true perpetrator, using Blackbyte as a shell group. The breach began on December 14th, 2021, with Cobalt Strike commands targeting the 49ers' network, compromising the primary domain and accessing finance and accounting sectors. AdvIntel notes a trend of ransomware groups creating sub-divisions for data exfiltration without encryption. Conti's alliances extend to HelloKitty/FiveHands, Babuk, HiVE, BlackCat/ALPHV, and AvosLocker. Future predictions suggest ransomware groups will continue to spawn business derivatives for smaller operations. Detection techniques for Blackbyte emphasize Rclone, Cobalt Strike, Metasploit, and PowerShell commands.
Cryware
Microsoft's latest research investigates the rise of Cryware, a malware targeting hot wallets (non-custodial cryptocurrency wallets). Cryware exploits locally stored data on a user's device to steal information such as private keys, seed phrases, and wallet addresses. This information allows attackers to initiate crypto transactions without the victim's consent, leveraging the irreversible nature of blockchain transactions to ensure the victim cannot recover their funds. Attackers use various techniques, including memory dumping, keylogging, exfiltrating wallet storage files, and clipping and switching. The latter technique monitors clipboard contents and replaces copied wallet addresses with the attacker's address, redirecting funds to the attacker.
Cisco Talos & BlackByte Ransomware Group
Cisco Talos has identified significant activity from the BlackByte ransomware group, which targets victims worldwide, including in North America, Colombia, the Netherlands, China, Mexico, and Vietnam. The group typically gains initial access by exploiting vulnerabilities in Microsoft Exchange (such as ProxyShell) or SonicWall VPN. A documented intrusion in March 2022 began with a BAT script executing and installing AnyDesk, followed by the creation of a new account for persistence. The attackers then tampered with system services, modified the registry, and created firewall rules to deploy the BlackByte ransomware, achieving encryption within 17 hours. Common attack patterns include the use of AnyDesk software and living-off-the-land binaries (LoLBins).
Chaos Ransomware Aligns with Russia
Fortinet has identified the Chaos ransomware group aligning with Russia in the Ukraine conflict. This is evident from the negative messages about the Ukraine government displayed after encryption is completed. The arrival vector for the malware is undetermined but is likely through email or forum posts. The variant investigated by Fortinet, compiled on May 16th, 2022, functions as a potential file destroyer, offering no recovery options for affected files and deleting shadow copies from impacted workstations.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
