We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Connecticut Airport Hit with Cyberattack
A cyberattack on Bradley International Airport's website, disclosed by CyberKnow and the Connecticut Airport Authority, occurred on March 29, 2022. Attackers left messages indicating the attack was in response to the Russia-Ukraine conflict, including statements like 'when the supply of weapons to Ukraine stops, attacks on the information structure of your country will instantly stop' and 'America, no one is afraid of you.' The U.S. Cybersecurity & Infrastructure Security Agency (CISA) reports no evidence of a data breach. While CyberKnow attributed the attack to the Russian threat actor group Killnet, the exact perpetrators remain undetermined.
APT36's Transparent Tribe Campaign
Cisco Talos reports that Pakistan-based APT36 (Mythic Leopard) has been targeting Indian government and military entities since June 2021 with the Transparent Tribe campaign. Methods include fraudulent installers, malicious documents with Covid-19 themes, and archive files. Key payloads are CrimsonRAT, a python-based stager, and a .NET-based implant.
Lapsus$ Hacks Globant
Information Technology and Software company Globant has been breached by the Lapsus$ group, resulting in the leak of 70GB of data, including source code and admin passwords. Clients like BNP Paribas, Facebook, Abbott, Stifel, and DHL are potentially affected. Researchers from VX-Underground and Comparitech suggest the breach was due to poor password hygiene. Despite recent arrests, Lapsus$ continues its operations, undeterred.
MFA Prompt-Bombing
MFA prompt-bombing is a tactic used by threat groups like Lapsus$ and APT29 to bypass older MFA methods. Attackers bombard users with verification requests until they approve access, exploiting push-button verification. This technique was used in the SolarWinds compromise and recent breaches by Lapsus$, including the Microsoft breach. Mandiant explains that attackers issue multiple MFA requests to the end user’s device until they accept, allowing access. While FIDO2 implementation is a step forward, companies must strengthen their security frameworks to mitigate this threat.
Deep Panda & Fire Chili Rootkits
FortiGuard Labs researchers identified Deep Panda, a Chinese APT group, exploiting the Log4Shell vulnerability using a new rootkit called Fire Chili. The attack involves stolen certificates from gaming companies and targets vulnerable VMWare Horizon servers with encoded PowerShell commands to install malicious DLL files.
Spring Vulnerabilities
On March 29th, 2022, critical vulnerabilities in the Spring framework, including Spring4Shell (CVE-2022-22965) affecting Spring Core and an RCE flaw (CVE-2022-22963) in Spring Cloud Function, were identified. Exploits require JDK 9+, Apache Tomcat, and specific deployment conditions. Spring Core versions 5.3.17 and older are impacted.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
