We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Conti & Karakurt Data Extortion Group
By accessing Conti servers, Infinitum IT Cyber Threat Intelligence team has identified a connection between the Conti ransomware group and the data extortion group Karakurt. Unlike Conti, Karakurt focuses solely on data exfiltration and extortion, gaining access primarily through compromised VPN credentials. Between September and November 2021, Karakurt compromised over 40 organizations, with an additional 11 in December 2021, primarily targeting entities in Canada and the United States. Infinitum IT's research, which began on February 27th, 2022, leveraged the Conti leaks to access resources such as Protonmail and Mega Upload. They discovered Conti uploading data to Karakurt's C2 servers using FileZilla and identified shared resources between the groups. Additionally, Conti's use of Inferno solutions, a Russian VPS service, led to the discovery of a data storage system containing over 20TB of victim data. Infinitum IT has shared this intelligence with the government.
Identify and Access Management (IAM) Lacking
Palo Alto Unit42's analysis reveals significant weaknesses in identity and access management (IAM) configurations for cloud security. Key issues include 44% of organizations allowing password reuse and 53% not enforcing complex passwords. Additionally, overly permissive policies are common, with cloud service provider policies providing 2.5 times more permissions than customer-managed policies. These IAM weaknesses facilitate easier access for attackers, with top threat groups including TeamTNT, WatchDog, Kinsing, Rocke, 8220, APT29, and APT41.
HAFNIUM "hidden" Scheduled Tasks
Microsoft Detection and Response Team (DART) and Microsoft Threat Intelligence Center (MSTIC) track HAFNIUM's new tactic from August 2021 to February 2022. The group targets telecommunications, ISPs, and data services, using hidden scheduled tasks to achieve persistence and evade detection. By deleting the Security Descriptor (SD) value in the registry, tasks become hidden from standard query tools, yet forensic analysts can recover details from other registry values and associated XML files.
Lazarus Operation Dream Job
Symantec has tracked Lazarus, a North Korean APT, targeting South Korea's chemical and IT sectors with Operation Dream Job since January 2022. The campaign, active since August 2020, uses fake job postings to lure victims. The attack chain typically involves executing an HTM file to download a malicious DLL for process injection, observed in INISAFE Web EX Client. The attackers also dump registry keys for credentials, execute BAT files, and create scheduled tasks for persistence.
MetaStealer Malware
New information-stealing malware, META, is gaining popularity among cybercriminals. Research from SANS and BleepingComputer reveals that META is being distributed through malspam campaigns. Since March 30th, 2022, at least 16 samples have been submitted to VirusTotal. The malware uses GitHub and transfer[.]sh URLs to host malicious binaries. Described as an improved version of RedLine on underground forums, META targets browser credentials and cryptocurrency wallets.
CISA Warns of Cybercriminals Targeting Industrial Control Systems
Multiple United States government agencies, including the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), have issued an advisory warning of potential attacks from advanced persistent threat (APT) groups targeting industrial control systems (ICS). Attackers have demonstrated the capability to gain full system control of ICS and supervisory control and data acquisition (SCADA) devices. CISA identified devices at risk, including Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. Although a recent attack by Sandworm targeting a Ukrainian energy provider on April 8th, 2022, was prevented, the threat remains significant.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
