We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
CVE-2022-26143: TP240PhoneHome
A sharp increase in DDoS attacks utilizing UDP port 10074 has been observed since mid-February 2022 by researchers from Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, NETSCOUT Arbor ASERT, TELUS, Team Cymru, and The Shadowserver Foundation. The source of this activity, CVE-2022-26143, has been traced to MiCollab and MiVoice Business Express collaboration systems produced by Mitel. The attacks exploit the tp240dvr service, designed for stress-testing clients, which should not be exposed to the internet. An estimated 2600 systems were improperly provisioned, enabling attackers to execute high-volume reflection/amplification DDoS attacks. Impacted industries include financial, gaming, and logistics. The largest observed attack reached approximately 53 million packets-per-second (mpps) and 23 gigabits-per-second (gb/sec) over a 5-minute duration. Mitel is currently working on a patch to disable the exposed system test facility.
Cybereason LOLBins & BITSadmin
Cybereason's threat hunting post examines the abuse of Living Off the Land Binaries (LOLBins), with a focus on BITSadmin. Malware variants like Astaroth and Egregor exploit these trusted binaries to download payloads and move files. The post highlights various LOLBins and their malicious uses.
Emotet Surges in Japan
Cybereason reports a surge in Emotet malware targeting Japanese organizations in the first quarter of 2022. The malware is distributed via malicious Excel documents and executed using regsvr32 with a .ocx file extension. Emotet establishes persistence in the registry and conducts reconnaissance without using PowerShell for deployment.
Cyber Incident Reporting Bill
The U.S. Senate has approved legislation mandating critical infrastructure operators to report breaches to CISA within 72 hours and ransom payments within 24 hours. This bill, expected to be signed by President Biden, aims to enhance intelligence sharing and national cybersecurity.
BazarLoader Malware Leverages Contact Forms
Abnormal Security observed BazarLoader exploiting online contact forms from December 2021 to January 2022. Attackers posed as prospective customers to send malicious links via file sharing services like TransferNow and WeTransfer. The downloaded files included an ISO file (a .lnk shortcut) and a .log file (the BazarLoader DLL). If executed, the shortcut file used regsvr32.exe to run the DLL, injecting it into svchost.exe. The campaign likely aims to deploy Conti ransomware or Cobalt Strike."
RagnarLoocker - FBI Flash Report
The FBI's flash report highlights RagnarLocker ransomware, affecting 52 entities across critical sectors, including manufacturing, energy, and IT, since April 2020. RagnarLocker avoids systems in certain regions and deletes shadow copies before encrypting specific files. The ransomware family continues to pose significant threats to critical infrastructure.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
