We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Fortinet Presents An In-Depth View of a Rhysida Intrusion
Fortinet's Managed Detection and Response team provides a thorough analysis of the Rhysida ransomware group, recently highlighted in CISA's #StopRansomware advisory. This ransomware-as-a-service has affected over 50 organizations, primarily in the United States, Germany, France, Italy, and England, with education, manufacturing, technology, government, and construction being the most targeted sectors.
#StopRansomware Offers Defensive Strategies for Rhysida Ransomware
The joint advisory by CISA and the FBI sheds light on the opportunistic Rhysida ransomware gang, known for targeting a wide range of sectors including education, healthcare, and technology. The advisory reveals Rhysida's approach of exploiting compromised credentials and remote services, including the use of the Zerologon vulnerability.
The Citrix Bleed Trail Leads to an Organized LockBit Campaign
The LockBit ransomware gang has been exploiting the Citrix Bleed vulnerability (CVE-2023-4966) in a series of organized attacks against high-profile targets, including the Industrial and Commercial Bank of China, DP World, Allen & Overy, and Boeing. These entities, with vulnerable Citrix instances, highlight a broader issue of thousands of internet-exposed endpoints still at risk. Kevin Beaumont's investigation reveals a lack of logging for the initial exploitation in NetScaler, complicating detection and response efforts.
APT29 Tactics: Car Sale Lures Exploiting WinRAR Vulnerability
Slug (34 characters or less, including dashes): apt29-winrar-exploit-tactics (28 characters) Title Tag (10-60 characters, including spaces): APT29 Exploits WinRAR in Embassy Cyber Attacks (47 characters) Meta Description (100 to 160 characters, including spaces): APT29, a Russian threat group, targets European embassies exploiting WinRAR vulnerability CVE-2023-38831, using car sale lures for infiltration. (147 characters) Open Graph Title (Social Media, 60-90 Characters): Russian APT29's WinRAR Exploit Targets Embassies Across Europe (69 characters) Open Graph Description (Social Media, 120-200 Characters): Discover how APT29 leverages WinRAR vulnerability in targeted cyber attacks against European embassies, using sophisticated car sale email lures. (153 characters) Synopsis: APT29, a Russian cyber threat group, has been actively targeting European embassies using a car sale lure to exploit the WinRAR vulnerability CVE-2023-38831. Countries like Azerbaijan, Greece, Romania, and Italy have been affected, with specific focus on the Ministry of Foreign Affairs and telecommunications providers like Greece's Otenet.
Insights of a Dangerously Proficient Social Engineering Group, Scattered Spider
The FBI and CISA's latest advisory focuses on Scattered Spider, a threat group also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra, renowned for their advanced social engineering techniques. The group, displaying skill sets overlapping with Microsoft's Octo Tempest, engages in sophisticated phishing, push bombing, and SIM swap attacks to acquire credentials and bypass multi-factor authentication (MFA).
CISA Updates Advisory for Royal Ransomware Gang, Amassed $275 Million in Ransom
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its advisory on the Royal ransomware group, revealing its significant global impact since September 2022. The group, suspected of rebranding to 'Blacksuit,' has targeted over 350 victims worldwide, particularly in critical sectors, accumulating ransoms exceeding $275 million. Utilizing phishing, RDP, and exploiting vulnerable applications, Royal gains initial access, later employing tools like Chisel, Cobalt Strike, and leveraging Qakbot C2 infrastructure.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
