We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
AsyncRAT Campaign Exploits Microsoft Processes
Trend Micro's Managed XDR team exposes a sophisticated AsyncRAT campaign exploiting Microsoft's aspnet_compiler.exe. The malware, known for keylogging and remote control, uses intricate scripts for evasion and persistence. Monitoring for unusual activities and process injections is vital to detect and defend against these evolving cyber threats.
Akira Ransomware Escalates Threat with Expanding Cyber Attacks
Sophos MDR Threat Intelligence reveals the escalating threat of Akira ransomware. Targeting multiple sectors, Akira employs complex cyber attacks, including the Megazord variant. Sophos's analysis highlights the group's advanced tactics and emphasizes the need for robust cybersecurity measures in response to these evolving threats.
APT29 Targets Tech Companies via TeamCity Flaw
CISA's advisory focuses on the Russian threat group APT29 (also known as the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard) exploiting the JetBrains TeamCity vulnerability, CVE-2023-42793. This high-severity flaw, rated 9.8/10, has been targeted at technology companies since late September 2023.
MuddyWater's Campaign Focuses on Telecom Sector in Three African Nations
Symantec's Threat Hunter team has uncovered that MuddyWater, an Iranian espionage group also known as Seedworm, is actively targeting telecommunications companies in Egypt, Sudan, and Tanzania as of November 2023. This marks a notable expansion of MuddyWater's activities beyond the Middle East. The group uses a complex attack chain involving PowerShell, scheduled tasks, WMIExec, SOCKS5 proxy tool Revsocks, and remote access software like SimpleHelp and AnyDesk.
#StopRansomware Warns of Play Ransomware with 300 Entities Worldwide Compromised
The joint advisory from the FBI, CISA, and ASD’s ACSC raises awareness of the Play ransomware group, also known as Playcrypt. Active since June 2022, Play ransomware has affected a broad range of sectors globally, including critical infrastructure in North America, South America, and Europe. The group has compromised approximately 300 entities by exploiting vulnerabilities in public-facing applications like FortiOS and Microsoft Exchange.
International Law Enforcement Agencies Unite to Take Down ALPHV/Blackcat’s Darknet Website
A major collaborative law enforcement effort led to the seizure of the notorious ALPHV/Blackcat ransomware gang's darknet website on December 19th. This action, credited to agencies like the FBI, US Justice Department, Europol, and others, was facilitated by a confidential source. Initially reported by The Record and observed by RedSense's Yelisey Bohuslavkiy, the seizure followed disruptions in the gang's operations.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
