We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Deep Panda & Fire Chili Rootkits
FortiGuard Labs researchers identified Deep Panda, a Chinese APT group, exploiting the Log4Shell vulnerability using a new rootkit called Fire Chili. The attack involves stolen certificates from gaming companies and targets vulnerable VMWare Horizon servers with encoded PowerShell commands to install malicious DLL files.
Spring Vulnerabilities
On March 29th, 2022, critical vulnerabilities in the Spring framework, including Spring4Shell (CVE-2022-22965) affecting Spring Core and an RCE flaw (CVE-2022-22963) in Spring Cloud Function, were identified. Exploits require JDK 9+, Apache Tomcat, and specific deployment conditions. Spring Core versions 5.3.17 and older are impacted.
New Attack Browser-in-the Browser (BITB)
Security researcher mr.d0x has identified a Browser-in-the-Browser (BITB) attack that simulates legitimate authentication windows to execute phishing attacks. The attack uses HTML, CSS, and JavaScript to create indistinguishable fake browser windows, compromising the reliability of checking URLs for phishing prevention.
Microsoft Confirms LAPSUS$ Hack & Analysis
Microsoft confirms a data breach by the Lapsus$ (DEV-0537) data extortion group, compromising project source code for Bing and Cortana. No customer data was affected. Initial access was gained through credential theft from malware like Redline, access brokers, and insider recruitment. The group escalated privileges by targeting internal server vulnerabilities and searching internal repositories. Lapsus$ gathered intelligence by joining crisis calls and observing internal messages. They created global admin accounts in cloud tenants, set mail transport rules, and removed other admin accounts, locking out organizations and exfiltrating data.
BitRAT
BitRAT has been available for purchase on hacking forums since 2020 and continues to be used by attackers today. The malware is disguised as a Windows 10 license verification tool, targeting users who download illegal crack tools. Once installed, BitRAT provides advanced features such as info-stealing, hidden virtual network computing, remote desktop access, coin mining, and proxies.
Energy Sector Targeted by Russian Cyber Actors
CISA, FBI, and DOE reveal Russian-state sponsored hackers targeted the energy sector from 2011 to 2018. Indicted by the DOJ, the FSB group used malware like Havex and shifted tactics from spear-phishing to third-party compromises. Attackers exfiltrated ICS and OT information, including vendor details and system diagrams.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
