We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Nobelium Groups UNC3004 and UNC2652 from Mandiant
Mandiant tracks Nobelium clusters UNC3004 and UNC2652, targeting technology firms with tactics including CEELOADER, Azure permissions abuse, and MFA push notification exploitation. The groups use compromised credentials and info-stealer malware for data collection and exfiltration, focusing on Russian interests.
CVE-2021-34535 Remote Code Execution Vulnerability
Malcolm Stagg, a Synack Red Team (SRT) member, discovered CVE-2021-34535, a remote code execution vulnerability in the Windows Remote Desktop client. This vulnerability arises from an integer overflow in the TSMF media decoder, leading to a heap buffer overflow. By specifying a buffer size just below the upper limit, an integer overflow occurs, causing a small buffer to be allocated while a large amount of attacker-controlled data is copied into it. This results in a heap buffer overflow, overwriting structures throughout the program’s memory space with attacker-controlled data. Although the vulnerability was patched by Microsoft in August 2021, the proof-of-concept exploit assumes the attacker can bypass address space layout randomization (ASLR).
Cuba Ransomware
The FBI released a flash report on Cuba ransomware, which has compromised 49 entities across various critical infrastructure sectors since November 2021. Affected sectors include financial, government, healthcare, manufacturing, and information technology. The initial infection vector is identified as Hancitor malware, with threat actors using phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain access. The attackers leverage legitimate Windows services like PowerShell and PsExec, and exploit Windows Admin privileges to execute their ransomware.
Emotet and App Installer
On November 11, 2021, Sophos reported that Emotet malware is using Windows App Installer packages, similar to BazarLoader's tactics. The attack starts with a phishing email linking to a fake Google Drive page, downloading a DLL file disguised as an Adobe PDF component, which executes via rundll32 and creates an autorun entry.
BlackByte Ransomware from RedCanary
RedCanary, in collaboration with Kroll, presents research from a BlackByte ransomware incident response engagement. The attack sequence began with initial access through the ProxyShell vulnerability and web shell deployment. Post-exploitation activities included the use of Cobalt Strike, impairing defenses by modifying process monitoring, Windows Defender, and firewall settings, culminating in ransomware deployment and file exfiltration.
Stardust Chollima
CrowdStrike reports that North Korean hackers "Stardust Chollima" targeted Chinese security researchers in June 2021 with phishing emails containing malicious attachments. The emails, referencing Chinese security agencies, aimed to steal hacking techniques and zero-day exploits. The success of these attacks remains unknown.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
