We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
ANSSI Alerts of Nobelium Targeting French Organizations
ANSSI raised an alert on Nobelium phishing campaigns targeting French entities, with attacks beginning in February 2021 and escalating in May. Compromised French email accounts are used to send weaponized emails to foreign diplomatic sectors, utilizing various hosting providers.
RTF Template Injection
Proofpoint reports increased RTF template injection attacks by APT groups TA423, DoNot Team, and Gamaredon since February 2021. This technique alters RTF file control words to download malicious payloads. Targets include Malaysia's energy exploration and the Ukrainian government. Detection rates remain low, necessitating vigilance.
Yanluowang Ransomware Linked to Thieflock Affiliate
Symantec reports a connection between Yanluowang ransomware and Thieflock, targeting US corporations in various sectors. Yanluowang employs BazarLoader for initial access, PowerShell to enable RDP, and Adfind for reconnaissance, suggesting a shift in allegiances from Thieflock to Yanluowang.
TiltedTemple Campaign, APT27
Palo Alto Unit42 reports APT27's TiltedTemple campaign, exploiting Zoho's ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077) vulnerabilities. The threat group developed their own exploit for remote code execution, targeting organizations since September 2021. Exploitation involves specific API requests to deploy and execute payloads.
Microsoft Excel (XLL) Leads to RedLine Info-Stealer
Threat actors are spreading malicious Excel XLL add-ins via public forums and article comment systems to distribute the RedLine information stealer. These XLL files, hosted on Google Drive, function as DLL files executed by Excel, triggering malicious actions. While some tests failed due to incompatible Excel versions, successful sequences involve executing the DLL with regsvr32 or rundll32 to download RedLine using wget.exe, saving it as %UserProfile%\JavaBridge32.exe. The malware achieves persistence by creating an autorun registry entry.
Precedence Group's Overly-Permissive SPF DNS Record
Managed service provider Precedence Group used an overly-permissive SPF DNS record, exposing 190 Australian organizations to email spoofing. The vulnerability, present since March 2019, allowed any AWS user to send authenticated emails as these organizations. The issue was fixed on November 29, 2021. CEO of CanIPhish, Sebastian Salla, highlighted the risk.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
