We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Trend Micro’s Investigation Reveals Earth Kapre’s Evasive Cyber Espionage Techniques
Trend Micro's investigation into Earth Kapre, also known as RedCurl and Red Wolf, uncovers a cyber espionage campaign targeting various countries. Utilizing phishing emails with malicious .iso and .img attachments, the group leverages native Windows tools and complex obfuscation techniques for data theft and maintaining presence within compromised systems. Notable tactics include PowerShell for initiating attacks, the use of "curl.exe" for malicious downloads, and exploiting the Program Compatibility Assistant for indirect command execution. Detection engineers are advised to monitor for specific indicators of Earth Kapre's activity, such as unusual PowerShell and "rundll32" usage, to mitigate these sophisticated threats.
Recommendations for Countering Against Phobos Ransomware
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and MS-ISAC have released recommendations to combat Phobos ransomware, targeting critical sectors since May 2019. Phobos, a ransomware-as-a-service (RaaS) operation, exploits vulnerabilities in Remote Desktop Protocol (RDP) services and conducts sophisticated phishing campaigns. It employs tools like Smokeloader, Cobalt Strike, and Bloodhound for attacks. Recommendations include monitoring for initial access attempts, especially via phishing and vulnerable RDP ports, and detecting known executables associated with Phobos to mitigate threats.
Increasing Docker Exploitation for Cryptomining
Cado Security researchers have disclosed a campaign exploiting misconfigured servers, including Docker and Apache Hadoop YARN, for cryptomining. The operation involves Docker container escapes and Linux host intrusions, using Golang payloads and bash scripts for automated vulnerability exploitation. The report highlights parallels with previous cloud-targeting campaigns and outlines anti-forensics measures and attack techniques used to maintain stealth and persistence.
Cybersecurity Authorities Warn of APT29's Shift Towards Cloud Infrastructure Attacks
Cybersecurity advisories from CISA and the UK's NCSC have highlighted a strategic shift by APT29, a Russian state-sponsored cyber group, towards targeting cloud infrastructures across sectors such as aviation, education, financial, government, law enforcement, and military. The advisories detail APT29's evolved tactics to exploit cloud-based systems, including password spraying, leveraging service accounts, enrolling new devices to bypass MFA, and using residential proxies to hide their operations. These methods demonstrate a sophisticated understanding of cloud vulnerabilities, underscoring the need for organizations to adopt recommended mitigations to protect against such advanced threats.
Attackers' Bluff Exposed in S3 Bucket Deletion Scam
Cybersecurity analyst Stephan Berger (@malmoeb) has exposed a scam involving the deletion of AWS S3 buckets, where attackers then demand a ransom. The incident began with reconnaissance in January 2024, escalating to the deletion of an S3 bucket in February. The attackers left a ransom note and a supposed recovery binary, which Berger identified as a decoy designed to pressure victims into paying the ransom. The investigation revealed that only a small fraction of data was compromised, highlighting the deceptive nature of the attackers' claims. This analysis underscores the importance of skepticism and thorough investigation in the face of ransom demands.
More Ransomware Gangs Pounce on ScreenConnect Vulnerabilities
Trend Micro reports escalating ransomware attacks by Black Basta and Bl00dy gangs exploiting ScreenConnect vulnerabilities, CVE-2024-1708 and CVE-2024-1709, in versions 23.9.7 and earlier. The vulnerabilities, leading to ransomware deployment and data theft, are a critical security risk requiring immediate action. Attackers utilize sophisticated techniques, including path traversal and authentication bypass, to conduct reconnaissance, escalate privileges, and deploy malicious payloads such as Cobalt Strike beacons. These findings underscore the importance of updating and securing network environments against these emerging threats.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
