We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
FIN8 Connection to White Rabbit Ransomware
In December 2021, White Rabbit ransomware was identified in an attack on a US bank. Potentially linked to the FIN8 group, it shares similarities with Egregor ransomware, requiring a command-line password for payload decryption. TrendMicro's telemetry revealed a PowerShell download via Cobalt Strike. White Rabbit targets remain few, suggesting ongoing testing by threat actors.
Diavol Ransomware and TrickBot Group
The FBI's latest report links Diavol ransomware to the TrickBot group, noting shared tactics and malware usage, including unique system IDs and Anchor DNS. The group has compromised entities with ransom demands from $10,000 to $500,000, though no data leaks have been observed.
APT41 UEFI Malware MoonBounce
Kaspersky reports that APT41 is using the highly persistent MoonBounce UEFI firmware implant, which resides in the SPI flash memory of the motherboard. The implant operates filelessly, initiating from the CORE_DXE component during the UEFI boot sequence and reaching out to a C2 server for further payloads. The implant was first identified in spring 2021, with evidence suggesting espionage activity starting as early as 2020.
Chinese Cyber-Espionage Group Earth Lusca
TrendMicro has identified the Chinese cyber-espionage group Earth Lusca, which conducts undercover operations on institutions of interest to the Chinese government while also engaging in financially motivated activities. Since mid-2021, Earth Lusca has targeted a wide range of industries, including education, finance (specifically cryptocurrency), gambling, government, news, telecommunications, and religion. The group employs watering hole attacks, spear-phishing campaigns, and exploits public-facing vulnerabilities such as ProxyShell and Oracle vulnerabilities to gain initial access.
WhisperGate
Palo Alto Unit42 reports on WhisperGate malware, targeting Ukraine since January 13, 2022. WhisperGate includes Stage1.exe, which overwrites master boot records, and Stage2.exe, an in-memory implant retrieving malicious files from Discord. The malware employs LOLBINs and anti-analysis techniques for evasion.
Crypto.com Data Breach
Crypto.com, one of the largest cryptocurrency trading platforms, disclosed a data breach on January 17th, 2022, compromising at least 483 customer accounts. Users reported unauthorized withdrawals, prompting the company to suspend transactions and implement additional security measures. Crypto.com's CEO Kris Marszalek confirmed that no customer funds were lost, and affected customers were fully reimbursed. The breach involved unauthorized withdrawals totaling 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other currencies. The company revoked all customers’ 2FA tokens, causing a 14-hour downtime for the withdrawal infrastructure.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
