We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
McMenamins Suffers Conti Ransomware Attack
On December 12, 2021, Portland brewery and hotel chain McMenamins suffered a ransomware attack by Conti, disrupting operations. The attack impacted point-of-sale systems, servers, and workstations, forcing the company to shut down its IT systems. The investigation is ongoing, and it is currently unknown if customer data has been compromised.
ALPHV/BlackCat ransomware - Technical Information from Symantec
Symantec's examination of the ALPHV/BlackCat ransomware reveals a targeted attack using SMB, registry manipulation, and PsExec to deploy malware and disable security systems on November 18, 2021.
APT31 Intrusion Set from ANSSI
ANSSI tracks APT31's intrusion tactics since January 2021, using methods like brute force, valid accounts, and Proxylogon exploits. Persistent actions include task scheduling, lateral movement via RDP/FTP/SMB, and data exfiltration through email, DNS, and SMB.
CVE-2021-44228 / Log4Shell Vulnerability
A zero-day exploit named CVE-2021-44228 (Log4Shell) was discovered in the Log4j library, affecting versions 2.0-beta9 to 2.14.1. This vulnerability allows remote code execution and impacts major services. Update to log4j-2.15.0-rc2 to mitigate the threat.
NSO Spyware Compromises US State Department Employees' Phones
Apple informed nine US State Department employees that their iPhones were compromised by NSO Pegasus spyware. The affected officials were either based in Uganda or focused on East African matters. The compromises occurred over the past several months, as reported by two Reuters sources.
Magecart Abuses Google Tag Manager
The Magecart threat actor group has exploited Google Tag Manager (GTM) by embedding malicious JavaScripts within GTM containers. This abuse allows the execution of JavaScript when a browser loads the container, collecting payment information from unsuspecting buyers through fraudulent payment forms and exfiltrating the data to a remote server. Gemini Advisory, a Recorded Future company, reports that since February 4th, 2021, 316 e-commerce sites have been compromised, resulting in at least 88,000 payment card records being posted for sale on dark web markets.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
