We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
APT10/Cicada Espionage Attacks
Symantec reports an expanded espionage campaign by APT10 (Cicada) targeting government and NGO entities across Europe, Asia, and North America. Techniques include exploiting Microsoft Exchange Servers and using tools like Sodamaster and Mimikatz.
Mandiant's Research of FIN7
Mandiant's updated research tracks the evolution of threat group FIN7 from late 2021 to early 2022, revealing its associations with ransomware operations like Maze, Darkside, Blackmatter, and ALPHV/Blackcat. FIN7 targets multiple industries, including financial services, food, medical, technology, transportation, and utilities. Mandiant tracks multiple uncategorized threat groups (UNCs) affiliated with FIN7. The group has refined its tools, with newer intrusions frequently using their PowerShell backdoor, PowerPlant, over older malware like LOADOUT and GRIFFON.
Lambda Malware, Denonia
Cado Security has identified Denonia, a new malware targeting AWS Lambda environments to deploy cryptominers. Written in Go, Denonia uses GitHub libraries and contains XMRig cryptominer software. The malware utilizes DNS over HTTPS (DoH) for encrypted DNS queries. It can also run on select Linux systems. The exact deployment method is unknown, but it may involve compromising AWS Access and Secret Keys to manually deploy into Lambda environments.
Colibri Loader
Malwarebytes has provided an analysis of Colibri Loader, a malware that appeared in underground forums in August 2021. Marketed to those with high traffic and limited time, Colibri Loader was recently observed delivering the Vidar information stealer. The attack chain begins with a malicious document triggering PowerShell to download Colibri Loader via BitsTransfer. Depending on the Windows version (7 or 10), the malware's directory location and scheduled task vary. The Windows 10 version achieves persistence by running PowerShell with a hidden window and exploiting the Get-Variable cmdlet by using a malicious executable named Get-Variable.exe. This technique leverages the default WindowsApps path to execute the malicious binary instead of the legitimate PowerShell cmdlet, demonstrating how adversaries can achieve persistence.
IcedID Spreads with Compromised Microsoft Exchange Servers
Intezer has observed a new IcedID malware campaign utilizing compromised Microsoft Exchange servers to send hijacked email threads for increased legitimacy. Historically a banking trojan, IcedID has evolved into a malware loader. The latest infection chain uses a zip file containing a malicious ISO with a DLL and LNK file, which, when executed, uses regsvr32 to deploy the malware.
eSentire Conti Leaks Analysis
eSentire's Threat Response Unit (TRU) analyzed Conti ransomware group leaks from 2021 and 2022, revealing their organized structure, use of operational manuals, and reliance on tools like Cobalt Strike, Mimikatz, and various LOLBins. The data leaks show Conti's detailed and efficient intrusion procedures.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
