We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Beware Scammers Pose as FTC Staff to Steal Money
The FTC has sounded an alarm over an uptick in scammers impersonating FTC officials to deceive individuals into sending money. Techniques involve urging victims to transfer funds, buy gold, or withdraw cash, under false pretexts. The median scam loss escalated from $3,000 in 2019 to $7,000 in 2024. With over 14,000 complaints of government impersonation frauds in 2023, resulting in $394 million in losses, the FTC, in collaboration with the FBI, has introduced the Government and Business Impersonation Rule to intensify efforts against such frauds. They urge public vigilance and reporting of suspicious activities, stressing that the FTC never demands money or threatens legal action for non-compliance.
Vast Post-Exploitation Opportunities from JetBrains Vulnerabilities
Trend Micro highlights the exploitation of JetBrains TeamCity vulnerabilities, CVE-2024-27198 and CVE-2024-27199, which risk administrative control and system integrity. CVE-2024-27198 facilitates various malicious activities, including ransomware deployment and cryptocurrency mining, while CVE-2024-27199 could lead to information leaks. With attackers leveraging these for extensive control and persistence within networks, organizations are urged to update their TeamCity servers promptly to mitigate potential breaches and protect their infrastructure against these significant threats.
The DEEP#GOSU Campaign's Script-Based Intrusion
Securonix unveils the DEEP#GOSU campaign, a sophisticated cyber espionage operation by North Korea's Kimsuky group targeting South Korea. Leveraging PowerShell and VBScript, attackers execute a script-based intrusion, employing encrypted communication and cloud services like Dropbox for stealth. The campaign involves deploying a Remote Access Trojan (RAT) for full control over infected systems, highlighting the need for vigilance in detecting unusual script activity and securing cloud service usage to mitigate threats.
Earth Krahang's Wide-Reaching Cyber Espionage Tactics and Targets
Trend Micro's report highlights Earth Krahang's cyber espionage impacting various sectors globally, including defense, government, and technology. Utilizing malware and spear-phishing, this Chinese threat actor has compromised over 70 organizations in 45 countries. Techniques like CVE exploitation and malicious email campaigns enable Earth Krahang to infiltrate and exfiltrate data from targeted entities, underlining the need for robust cyber defense strategies.
Understanding the Cyber Threat Powerhouse Muddled Libra
Unit 42's analysis presents Muddled Libra as an advanced threat group, utilizing social engineering alongside technological prowess, distinct from similar groups by their broad targeting and adaptable tactics. With over 200 fake portals and targeted smishing, Muddled Libra adeptly collects credentials and MFA codes, evidencing their capacity to maneuver around defensive measures and exploit IT support. Their understanding of incident response frameworks further underscores their threat, necessitating vigilant cybersecurity strategies against their evolving methodologies.
Intricate MSSQL Attack Sequence Revealed
Huntress researchers unveiled a complex MSSQL server attack initiated through the xp_cmdshell stored procedure, leading to the stealthy transfer of data and the installation of remote access tools within minutes. This operation detailed the creation of a new user account, adjustments to registry settings for credential harvesting, and the setup of AnyDesk for persistent access. The sequence of these actions showcases the attackers' precision and the critical need for monitoring similar patterns to enhance early intrusion detection strategies.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
