We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Cactus Ransomware Strikes Through Qlik Sense Vulnerabilities
Arctic Wolf Labs has identified a new cyber threat where Cactus ransomware operators exploit vulnerabilities in Qlik Sense applications. Utilizing CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the attackers gain initial access, subsequently deploying Cactus ransomware.
Job Centric Themes Fueling Two North Korean Campaigns
Unit 42 reveals two North Korean state-sponsored cyber campaigns, "Contagious Interview" and "Wagemole," exploiting job-centric themes. "Contagious Interview" targets software developers with simulated job interviews and collaboration hubs like GitHub, deploying malware like BeaverTail and InvisibleFerret for cryptocurrency theft, keylogging, and credential theft.
Boeing Supplements CISA Advisory for LockBit's Abuse of Citrix Bleed Vulnerability
A joint Cybersecurity Advisory, aided by Boeing and Kevin Beaumont, focuses on the threat of LockBit 3.0 ransomware exploiting the Citrix Bleed vulnerability (CVE-2023-4966). This vulnerability allows bypassing password and MFA requirements, enabling session hijacking on Citrix NetScaler ADC and Gateway appliances.
Fortinet Presents An In-Depth View of a Rhysida Intrusion
Fortinet's Managed Detection and Response team provides a thorough analysis of the Rhysida ransomware group, recently highlighted in CISA's #StopRansomware advisory. This ransomware-as-a-service has affected over 50 organizations, primarily in the United States, Germany, France, Italy, and England, with education, manufacturing, technology, government, and construction being the most targeted sectors.
#StopRansomware Offers Defensive Strategies for Rhysida Ransomware
The joint advisory by CISA and the FBI sheds light on the opportunistic Rhysida ransomware gang, known for targeting a wide range of sectors including education, healthcare, and technology. The advisory reveals Rhysida's approach of exploiting compromised credentials and remote services, including the use of the Zerologon vulnerability.
The Citrix Bleed Trail Leads to an Organized LockBit Campaign
The LockBit ransomware gang has been exploiting the Citrix Bleed vulnerability (CVE-2023-4966) in a series of organized attacks against high-profile targets, including the Industrial and Commercial Bank of China, DP World, Allen & Overy, and Boeing. These entities, with vulnerable Citrix instances, highlight a broader issue of thousands of internet-exposed endpoints still at risk. Kevin Beaumont's investigation reveals a lack of logging for the initial exploitation in NetScaler, complicating detection and response efforts.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
