We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Starlink Target Risks
Elon Musk warns of high risks targeting Starlink, the sole non-Russian communication system active in Ukraine. Starlink provides critical internet connectivity amid the Russian invasion, but its unique position makes it a likely target for cyber attacks. The service has been crucial since its deployment on February 28th, 2022.
U.S Hospitals to Brace for Cyber Attacks
The AHA alerts U.S. hospitals to brace for potential cyber-attacks amid the Russia-Ukraine conflict. Hospitals are advised to prepare for disruptions lasting 4-6 weeks. Concerns include retaliation for sanctions and the Conti ransomware gang, which has previously targeted healthcare organizations and aligned with Russia.
Targeted BABYSHARK Attack on Think Tank
Huntress identified BABYSHARK malware targeting security think tanks, attributed to North Korean threat actors. The attack involved a fraudulent GoogleUpdater task, a targeted system check, and persistence mechanisms triggered by specific usernames. The origin was traced to a malicious phishing email with a link.
Samsung Electronics Data Leak
Lapsus$ has leaked 190GB of data from Samsung Electronics, made available via torrent. The data includes source code and security information across three parts, affecting Samsung's defense, device security, and various backend systems. The incident follows similar leaks from Nvidia, with no current statement from Samsung.
Nvidia Certificates Used in Malware
Threat actors are using stolen Nvidia certificates from a data leak to sign malware, including Cobalt Strike beacons and Mimikatz. Despite some certificates being expired, Windows still loads them, making the malware appear trustworthy. Researchers Bill Demirkapi, Kevin Beaumont, and Will Dormann reported these findings.
Lorenz Ransomware
Lorenz ransomware, first observed in February 2021 and likely a rebranding of .sZ40 ransomware from October 2020, has targeted over 20 victims in English-speaking countries. The group conducts methodical and customized attacks, performing reconnaissance, moving laterally, and collecting sensitive data. They use scheduled tasks to delete volume shadow copies and clear Windows logs. Unique extortion methods include selling compromised data to competitors or threat actors and leaking data publicly if ransoms are unpaid. The group also sells access to compromised networks. Europol's "No More Ransom" project released a limited decryptor for Lorenz ransomware.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
