We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Yanluowang Ransomware Linked to Thieflock Affiliate
Symantec reports a connection between Yanluowang ransomware and Thieflock, targeting US corporations in various sectors. Yanluowang employs BazarLoader for initial access, PowerShell to enable RDP, and Adfind for reconnaissance, suggesting a shift in allegiances from Thieflock to Yanluowang.
TiltedTemple Campaign, APT27
Palo Alto Unit42 reports APT27's TiltedTemple campaign, exploiting Zoho's ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077) vulnerabilities. The threat group developed their own exploit for remote code execution, targeting organizations since September 2021. Exploitation involves specific API requests to deploy and execute payloads.
Microsoft Excel (XLL) Leads to RedLine Info-Stealer
Threat actors are spreading malicious Excel XLL add-ins via public forums and article comment systems to distribute the RedLine information stealer. These XLL files, hosted on Google Drive, function as DLL files executed by Excel, triggering malicious actions. While some tests failed due to incompatible Excel versions, successful sequences involve executing the DLL with regsvr32 or rundll32 to download RedLine using wget.exe, saving it as %UserProfile%\JavaBridge32.exe. The malware achieves persistence by creating an autorun registry entry.
Precedence Group's Overly-Permissive SPF DNS Record
Managed service provider Precedence Group used an overly-permissive SPF DNS record, exposing 190 Australian organizations to email spoofing. The vulnerability, present since March 2019, allowed any AWS user to send authenticated emails as these organizations. The issue was fixed on November 29, 2021. CEO of CanIPhish, Sebastian Salla, highlighted the risk.
Nobelium Groups UNC3004 and UNC2652 from Mandiant
Mandiant tracks Nobelium clusters UNC3004 and UNC2652, targeting technology firms with tactics including CEELOADER, Azure permissions abuse, and MFA push notification exploitation. The groups use compromised credentials and info-stealer malware for data collection and exfiltration, focusing on Russian interests.
CVE-2021-34535 Remote Code Execution Vulnerability
Malcolm Stagg, a Synack Red Team (SRT) member, discovered CVE-2021-34535, a remote code execution vulnerability in the Windows Remote Desktop client. This vulnerability arises from an integer overflow in the TSMF media decoder, leading to a heap buffer overflow. By specifying a buffer size just below the upper limit, an integer overflow occurs, causing a small buffer to be allocated while a large amount of attacker-controlled data is copied into it. This results in a heap buffer overflow, overwriting structures throughout the program’s memory space with attacker-controlled data. Although the vulnerability was patched by Microsoft in August 2021, the proof-of-concept exploit assumes the attacker can bypass address space layout randomization (ASLR).
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
