We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Emotet Surges in Japan
Cybereason reports a surge in Emotet malware targeting Japanese organizations in the first quarter of 2022. The malware is distributed via malicious Excel documents and executed using regsvr32 with a .ocx file extension. Emotet establishes persistence in the registry and conducts reconnaissance without using PowerShell for deployment.
Cyber Incident Reporting Bill
The U.S. Senate has approved legislation mandating critical infrastructure operators to report breaches to CISA within 72 hours and ransom payments within 24 hours. This bill, expected to be signed by President Biden, aims to enhance intelligence sharing and national cybersecurity.
BazarLoader Malware Leverages Contact Forms
Abnormal Security observed BazarLoader exploiting online contact forms from December 2021 to January 2022. Attackers posed as prospective customers to send malicious links via file sharing services like TransferNow and WeTransfer. The downloaded files included an ISO file (a .lnk shortcut) and a .log file (the BazarLoader DLL). If executed, the shortcut file used regsvr32.exe to run the DLL, injecting it into svchost.exe. The campaign likely aims to deploy Conti ransomware or Cobalt Strike."
RagnarLoocker - FBI Flash Report
The FBI's flash report highlights RagnarLocker ransomware, affecting 52 entities across critical sectors, including manufacturing, energy, and IT, since April 2020. RagnarLocker avoids systems in certain regions and deletes shadow copies before encrypting specific files. The ransomware family continues to pose significant threats to critical infrastructure.
Mandiant Reports APT41 Targeting US Government
Mandiant reports that Chinese state-sponsored threat group APT41 targeted six U.S. state government entities between May 2021 and February 2022. The group exploited vulnerabilities in public-facing web applications, including Log4j and USAHerds (CVE-2021-44207). APT41 used .NET deserialization attacks, SQL injection, and directory traversal vulnerabilities for initial access. Post-compromise, the group conducted reconnaissance, harvested credentials using dsquery and Mimikatz, and maintained persistence with scheduled tasks. APT41 utilized Cloudflare services for command and control (C2) and data exfiltration, employing evasion techniques like Alternate Data Stream (ADS) and VMProtect in malware.
CaddyWiper Data Wiper Attacks Ukraine
ESET researchers, as reported by BleepingComputer, have discovered CaddyWiper, a new data-destroying malware targeting Ukrainian organizations. The malware avoids affecting domain controllers, likely to retain access for attackers. Compiled on March 14th, 2022, CaddyWiper does not share significant code similarities with prior wipers but was deployed similarly to HermeticWiper, via Group Policy Objects (GPO), indicating prior control of the target network by the attackers.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
