We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Exposed Jupyter Notebooks Under Threat of "Qubitstrike" Cryptojacking Campaign
Cado Security’s Matt Muir has spotlighted a threatening cryptojacking campaign named "Qubitstrike", specifically targeting exposed Jupyter Notebooks. This campaign utilizes a variety of malicious tools, including scripts for credential theft, Linux rootkits, and the notorious XMRig coinminer. The threat actors cleverly manipulate the Codeberg platform to stage their scripts, aiming to snatch credential files of widely-used cloud services such as AWS and Google Cloud, and exfiltrate them via the Telegram Bot API.
OilRig's 8-Month Stay Inside a Middle Eastern Government Network
In a comprehensive investigation, Symantec’s Threat Hunter Team has unveiled the details of an 8-month-long cyber-espionage operation conducted by OilRig (also known as APT34 and Crambus), targeting a government entity in the Middle East. From February to September 2023, the Iranian espionage group executed sophisticated attacks, managing to exfiltrate sensitive data, compromise at least 12 computers, and install backdoors and keyloggers on numerous others. One of the key tools in their arsenal was PowerExchange, a PowerShell backdoor used for monitoring emails and executing commands discreetly.
CVE-2023-38545: A SOCKS Issue sets a High Rated curl Vulnerability
The globally utilized curl library has announced a pressing security advisory concerning a heap buffer overflow vulnerability within its SOCKS5 proxy implementation, CVE-2023-38545. Jay Satiro, a prominent name in the curl community, underscores that the crux of the issue is the handling of hostnames longer than 255 bytes in certain conditions. A crafted scenario presented by Daniel Stenberg, the open-source developer and maintainer of curl, illustrates a potential exploit where an HTTPS server could maliciously redirect a client using libcurl via a SOCKS5 proxy with an excessively long hostname.
CVE-2023-44487: New HTTP/2 "Rapid Reset" Sets DDoS Record
In a pivotal coordinated disclosure, giants AWS, Cloudflare, and Google unveiled a groundbreaking DDoS attack stemming from a vulnerability in the HTTP/2 protocol, termed as the "HTTP/2 rapid reset" attack. Recorded in August and September 2023, these attacks shattered prior records of Layer 7 DDoS attacks. The most extensive incident hit Google with 398 million requests per second. At the core of this exploit is the HTTP/2 feature allowing multiplexing of multiple logical connections over one HTTP session.
WS_FTP Server Exploit with a Familiar Attack Chain
Sophos X-Ops on Mastodon has reported that Progress Software's WS_FTP Server software is currently facing active exploitation due to the .NET Deserialization vulnerability, CVE-2023-40044. This high-risk vulnerability, graded 10/10 by the vendor, was addressed with a hotfix in September 2023. Despite the fix, Sophos's analysis reveals attackers employing familiar patterns, leveraging the IIS component and delivering malicious payloads to deploy ransomware. Shockingly, the ransomware in question seems to be derived from the leaked Lockbit 3.0 source code.
"Stayin’ Alive" Campaign Targets Government & Telecom Organizations in Asia Since 2021
Check Point Research has been monitoring an ongoing cyber campaign named "Stayin' Alive", active since at least 2021. Primarily targeting telecommunications and government sectors in Asian countries like Vietnam, Uzbekistan, Kazakhstan, and Pakistan, the campaign employs basic tools with the primary goal of downloading and executing additional payloads. Spear-phishing emails delivering archive files are common initial attack vectors, even exploiting known vulnerabilities.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
