We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Sports Gear Sites Data Breach Impacts 1.8 Million People
A cyberattack on Tackle Warehouse, Running Warehouse, Tennis Warehouse, and Skate Warehouse compromised credit card information of 1.8 million customers. Disclosed by a representing law firm, the breach includes names, financial account numbers, credit/debit card numbers with CVV, and account passwords. Notices were sent to affected customers without identity protection services.
Malicious Microsoft Exchange IIS Module Owowa
Kaspersky has identified a malicious implant targeting Microsoft Exchange Outlook Web Access (OWA) applications, dubbed "Owowa." The implant enables remote command execution and captures user credentials from authenticated OWA users. Discovered in late 2020, Owowa has been circulating since April 2021 in parts of Europe, Malaysia, Mongolia, Indonesia, and the Philippines. The malicious module, named "ExtenderControlDesigner," is loaded via a PowerShell script.
Khonsari Ransomware & Log4Shell
The Khonsari ransomware family leverages the Log4Shell vulnerability (CVE-2021-44228) to target Windows servers. The malware executable "groenhuyzen.exe" exploits the JNDI class, encrypting user directories (Documents, Videos, Pictures, Downloads, Desktop) on all mounted drives except for the C:\ drive. The ransomware appends the extension .khonsari to encrypted files.
Dark Hotel APT Group
Zscaler ThreatLabz has identified recent activities by the Dark Hotel APT group from South Korea. The group uses multi-layered malicious documents, dropping RTF files, and employing advanced persistence techniques such as registry key creation and encoded PowerShell commands.
Clop Ransomware Publishes Confidential Police Data
As reported by 'The Mail' on December 19th, 2021, the Clop ransomware gang compromised IT services provider Dacoll in October 2021 and obtained data from a police national computer (PNC). After Dacoll refused to pay the ransom demand, the threat group posted the data on the dark web. The leaked data includes images of motorists captured by the UK's National Automatic Number Plate Recognition (ANPR) system.
DarkWatchman - Fileless Malware
Prevailion’s Adversarial Counterintelligence Team (PACT) uncovered DarkWatchman, a fileless JavaScript-based RAT. Utilizing Domain Generation Algorithms (DGA) for C2 and achieving persistence via the registry, DarkWatchman avoids disk writes, pairs with a C# keylogger, and leverages LOLbins.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
