We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
UNC2190 - Arcane and Sabbath
Mandiant's research on UNC2190 (Arcane/Sabbath) reveals the group's targeting of critical infrastructure in the US and Canada, along with sectors in education, health, and natural resources. Using ROLLCOAST ransomware, UNC2190 employs multifaceted extortion, data theft, and backup destruction. Notably, no ROLLCOAST code has been found for two years.
WIRTE Group
Kaspersky reports the WIRTE group is using Excel 4.0 macros to target high-profile entities, particularly in the Middle East. The attacks involve phishing campaigns, LotL techniques, and a PowerShell implant called LitePower. There's low confidence attribution linking WIRTE to the Gaza Cybergang.
Vestas Wind Systems Impacted by Cyberattack
Vestas Wind Systems, a wind turbine manufacturer, was hit by a cyberattack on November 19th, 2021. The company is working to restore internal IT systems, with investigations ongoing. Preliminary findings indicate no impact on customer or supply chain operations.
Squirrelwaffle + ProxyShell and ProxyLogon
Trend Micro reports the Squirrelwaffle loader exploiting ProxyShell and ProxyLogon vulnerabilities to hijack email threads without initial lateral movement or malware installation. When victims open a macro-enabled Excel file, a Qbot DLL is downloaded and executed via regsvr32. This technique has been observed since September 2021.
Prodraft Researchers Identify a Conti Server
Researchers at Prodaft identified an exposed server associated with the Conti ransomware gang, used for ransom negotiations. They monitored the server for weeks, observing network traffic including victim IP addresses and SSH traffic likely from ransomware operators via Tor exit nodes. Following Prodaft's report, Conti took the server offline.
Some tactical TTP details are shared for PHOSPHORUS/Magic Hound (MITRE: G0059)
Microsoft Threat Intelligence Center (MSTIC) research covers six Iranian threat actor groups, including PHOSPHORUS and CURIUM. Active since September 2020, these groups conduct ransomware attacks every 6-8 weeks, exploiting Fortinet FortiOS and Exchange Server vulnerabilities. The study also highlights social engineering and brute-forcing tactics used by these actors.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
