We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Cryware
Microsoft's latest research investigates the rise of Cryware, a malware targeting hot wallets (non-custodial cryptocurrency wallets). Cryware exploits locally stored data on a user's device to steal information such as private keys, seed phrases, and wallet addresses. This information allows attackers to initiate crypto transactions without the victim's consent, leveraging the irreversible nature of blockchain transactions to ensure the victim cannot recover their funds. Attackers use various techniques, including memory dumping, keylogging, exfiltrating wallet storage files, and clipping and switching. The latter technique monitors clipboard contents and replaces copied wallet addresses with the attacker's address, redirecting funds to the attacker.
Cisco Talos & BlackByte Ransomware Group
Cisco Talos has identified significant activity from the BlackByte ransomware group, which targets victims worldwide, including in North America, Colombia, the Netherlands, China, Mexico, and Vietnam. The group typically gains initial access by exploiting vulnerabilities in Microsoft Exchange (such as ProxyShell) or SonicWall VPN. A documented intrusion in March 2022 began with a BAT script executing and installing AnyDesk, followed by the creation of a new account for persistence. The attackers then tampered with system services, modified the registry, and created firewall rules to deploy the BlackByte ransomware, achieving encryption within 17 hours. Common attack patterns include the use of AnyDesk software and living-off-the-land binaries (LoLBins).
Chaos Ransomware Aligns with Russia
Fortinet has identified the Chaos ransomware group aligning with Russia in the Ukraine conflict. This is evident from the negative messages about the Ukraine government displayed after encryption is completed. The arrival vector for the malware is undetermined but is likely through email or forum posts. The variant investigated by Fortinet, compiled on May 16th, 2022, functions as a potential file destroyer, offering no recovery options for affected files and deleting shadow copies from impacted workstations.
Gootloader Infection
Red Canary provides details on Gootloader malware, which uses compromised WordPress sites and SEO poisoning to distribute malicious ZIP files. The attack targets enterprise victims, initiating with a JavaScript file that checks for Active Directory and downloads DLL payloads. The malware establishes persistence via the registry and scheduled tasks using PowerShell, culminating in the execution of commands to deploy payloads like Cobalt Strike Beacon.
Conti Group is Defunct
AdvIntel, known for tracking Conti activity, has discovered the shutdown of Conti ransomware operations. Critical ransom features were removed from the Conti News blog, including the infrastructure for negotiations, data uploads, and hosting of stolen data. These shutdown activities began on May 19th, 2022. Conti's leadership had anticipated this moment, using the attack on Costa Rica as a cover. Despite the shutdown, the threat from Conti remains, as the group transitions to a more decentralized network structure. AdvIntel outlines four types of sub-groups that may continue Conti's operations, focusing on data exfiltration over encryption. This transition is particularly evident in groups like Karakurt and BlackByte, signaling a shift towards data theft without the need for ransomware lockers.
Ursnif Phishing Campaigns
Qualys reviews Ursnif malware, targeting banking, financial services, and government sectors through phishing emails. Ursnif steals credentials and downloads additional payloads. The malware uses Excel and zip attachments to infect victims, leveraging current events and impersonating government authorities.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
