We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
RATDispenser a JavaScript Based Loader
HP Threat Research discovers RATDispenser, a JavaScript loader used to distribute multiple malware families like STRRAT, WSHRAT, RemcosRAT, and more. Operating under a malware-as-a-service model, RATDispenser spreads via malicious emails. Upon execution, it sets up a VBScript to download and execute the malware payload.
Tardigrade Targeting Bio-Manufacturing Facilities and Research Centers
BIO-ISAC reports Tardigrade's attacks on bio-manufacturing facilities and research centers, using a sophisticated SmokeLoader malware variant. First identified in Spring 2021, the malware spreads via phishing and USB sticks, impacting entities like Düsseldorf University and the European Medicines Agency, showing high autonomy and metamorphic capabilities.
PowerShortShell
SafeBreach Labs reports Iranian threat actors exploiting the MSHTML vulnerability (CVE-2021-40444) using the PowerShortShell script. The 153-line PowerShell script gathers data such as screen captures, Telegram files, and documents. The attack chain involves malicious emails, Word documents, and a DLL drop to the %temp% directory to execute PowerShortShell.
Google Cloud Threat Horizons
Google's Cybersecurity Action Team publishes its Threat Horizons report, revealing that 86% of compromised Google Cloud Platform (GCP) instances are used for crypto mining. Other malicious activities include public scanning (10%), launching attacks (8%), hosting malware (6%), hosting unauthorized content (4%), launching DDoS bots (2%), and sending spam (2%). Most successful attacks stem from weak passwords, authentication issues, vulnerable third-party software, misconfigurations, or leaked credentials. The report also tracks phishing by APT28/Fancy Bear and Black Matter ransomware.
InstallerFileTakeOver in use by Threat Actors
Security researcher Abdelhamid Naceri discovered the InstallerFileTakeOver vulnerability, a bypass of CVE-2021-41379 that wasn't properly patched by Microsoft in November 2021. This vulnerability allows users to escalate their privileges to admin. Cisco Talos has identified malware samples exploiting this vulnerability in the wild.
CronRAT
CronRAT is a remote access trojan that hides in the calendar system of a Linux server by scheduling tasks on the non-existent day of February 31st to evade detection. Discovered by security vendor Sansec, CronRAT has been found on multiple online stores. Its capabilities include fileless execution, timing modulation, anti-tampering checksums, control via binary obfuscated protocol, launching a tandem RAT in a separate Linux subsystem, a control server disguised as 'Dropbear SSH' service, and payloads hidden in legitimate CRON scheduled task names.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
