We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Trojan.Killdisk/HermeticWiper, Disk-Wiping Malware
Symantec reports on Killdisk/HermeticWiper, a disk-wiping malware discovered on February 24, 2022. The malware damages the Master Boot Record, making recovery impossible. A Lithuanian organization was infiltrated in November 2021, with staged files and persistence set up. The attack included certutil checks, credential collection, and PowerShell scripts, culminating in a wiper attack.
TA2541
ProofPoint tracks TA2541 targeting aviation, aerospace, transportation, and defense industries since 2017. The group uses phishing emails with malicious links to download RATs like AsyncRAT, NetWire, and Parallax. Techniques include PowerShell downloads, process injection, and persistence through startup directories and scheduled tasks.
Meyer Corporation Ransomware Attack
On October 25, 2021, Meyer Corporation, a cookware distributor, suffered a ransomware attack, as reported by BleepingComputer. The incident review completed on December 1, 2021, identified the compromise of employee data, including names, addresses, dates of birth, social security numbers, passports, and government ID numbers. Subsidiaries such as Hestan Commercial Corporation and Hestan Vineyards were also affected. While Meyer Corporation's notification lacks specific details, BleepingComputer linked the attack to the Conti ransomware group, which posted 2% of the stolen data on their extortion site.
Financial Fraud with Exchange Vulnerabilities
Since September 2021, Squirrelwaffle malware has been exploiting Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities. According to Sophos, hijacked emails are used to spread the malware and commit financial fraud by creating "typo-squatted" domains and sending fraudulent payment requests. The attackers gain access to victims' payments by manipulating email threads.
Emotet Changes Infection Tactic
Palo Alto Unit42 has identified a new infection tactic used by Emotet malware. The attack begins with phishing emails containing hijacked email threads and delivers an Excel file with an obfuscated macro. Activating the macro downloads an HTML application, which then executes two stages of PowerShell to deploy the final Emotet payload.
Emissary Panda Attack Insight
HVS Consulting's report outlines a nine-month campaign by Emissary Panda, featuring phases of initial compromise, persistence, and data exfiltration. Major vulnerabilities exploited include ProxyLogon, Confluence, and Log4Shell. ProxyLogon, widely exploited by groups like Hafnium and Fancy Bear, led to significant Exchange server compromises.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
