We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Iranian APT Group 'Agonizing Serpens' Campaigns for Data Theft and Destruction
Unit 42 has identified a series of cyberattacks by the Iranian APT group Agonizing Serpens, targeting Israeli organizations in the education and technology sectors from January to October 2023. The group, also known as Agrius, BlackShadow, and Pink Sandstorm, utilized tactics like exploiting public-facing applications, credential theft, lateral movement, and data exfiltration. They deployed webshells, conducted reconnaissance, and used tools like Mimikatz for credential harvesting.
Kinsing Attackers Experiments with "Looney Tunables" Exploit for Cloud Compromise
The Kinsing malware group has shifted its focus towards exploiting the Looney Tunables Linux vulnerability, CVE-2023-4911, to compromise cloud environments. This new approach, involving the exploitation of PHPUnit and Looney Tunables vulnerabilities, demonstrates the group's evolving tactics from cryptomining to more intensive cloud-based attacks. AquaSec's analysis reveals their methodical experimentation with this exploit, hinting at a strategic expansion in their cyber activities.
"EleKtra-Leak" Campaign Scoops Up Leaked IAM Credentials for a Rapid Cryptojacking Attack
Unit 42 exposes "EleKtra-Leak," a persistent cloud security threat since December 2020, utilizing exposed IAM credentials for cryptojacking. The campaign shows a rapid exploitation of at-risk GitHub credentials, often within minutes. While encoded credentials are safe for now, the threat actor's automated processes and extensive use of API calls target cloud resources for cryptomining.
The Retail Sector & United States Lead as Primary Targets of the Knight Ransomware Group
Knight ransomware, identified as a Cyclops rebrand, has marked the retail sector and U.S.-based organizations as its prime targets since August 2023. Accounting for 60% of attacks, the group has also infiltrated healthcare, using phishing as the predominant tactic.
Signs of a Hive Reemergence Rebrands as "Hunters International"
The Hive ransomware gang, seemingly dismantled by the DOJ in January 2023, shows signs of resurgence as Hunters International. Analysis reveals a significant overlap in ransomware code, indicating a possible evolution rather than an end. Despite claims of distancing from Hive, Hunters International's operations and recent data thefts reflect a continuity of the threat landscape, with the RaaS model enabling a swift operational rebound.
Observed Exploitation of Apache ActiveMQ CVE-2023-46604
CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ, has been actively exploited, with initial attempts tracked by Huntress and Rapid7. Attackers have been observed using compromised hosts to download and attempt to install malicious MSI files, exhibiting ransomware-like behavior, including process termination and file encryption with a .locked extension.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
