We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Malware “Liberator” Targets Ukraine
Cisco Talos reports that cybercriminals are exploiting the Russia-Ukraine conflict by distributing the "Liberator" malware to Ukraine sympathizers. Disguised as a DDoS tool against Russia, the malware is spread through Telegram, specifically targeting members of the Ukraine IT Army. The threat actor behind this has been active since November 2021, distributing various information stealers.
TA416
Since November 2021, Chinese APT group TA416 has escalated phishing attacks on European diplomats, using web bugs, SMTP2Go for sender impersonation, and Dropbox links to deliver PlugX malware. The campaigns increased notably following Russia's invasion of Ukraine, highlighting significant geopolitical implications.
Prophet Spider Exploits CVE-2021-22941
CrowdStrike reports that Prophet Spider exploited CVE-2021-22941, a remote code execution vulnerability in Citrix ShareFile Storage Zones Controller, to compromise an IIS web server. The attackers uploaded a webshell, checked connectivity using nslookup, and used PowerShell and wget to download additional files for further operations.
Lapsus$ Breaches Mercado Libre
The Lapsus$ threat group has breached Argentine e-commerce giant Mercado Libre, adding to its recent string of compromises. The breach, disclosed in a Securities and Exchange Commission (SEC) Form 8-K filing, revealed unauthorized access to the company's source code and data of 300,000 users. However, Mercado Libre assured that its IT infrastructure and sensitive financial information were not compromised. The company is implementing strict measures to prevent further incidents.
Google TAG Provides Update on Russian Threat Groups
Google’s Threat Analysis Group (TAG) updates on Russian threat groups targeting Ukraine. APT28/FancyBear conducts phishing campaigns to obtain credentials from Ukrainian media sites. Ghostwriter/UNC1151 targets Polish and Ukrainian government and military entities with phishing attacks. Mustang Panda/Temp.Hex distributes malicious zip files to download malware payloads, further escalating cyber threats in the region.
CISA Update on Conti Ransomware
The Cybersecurity & Infrastructure Security Agency (CISA) has updated alert AA21-265A, tracking Conti ransomware and providing new indicators of compromise (IOC) associated with the group. Conti ransomware has impacted over 1,000 organizations in the U.S. and internationally, often using Trickbot and Cobalt Strike as prevalent attack vectors. The group typically gains initial access through phishing emails or stolen accounts, employing various post-compromise techniques such as RDP brute force attacks, Kerberos attacks, running discovery commands to enumerate networks, spreading via SMB, stopping services, and deleting shadow copies.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
