We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Medical Records Heist: FBI Warns of Cyber Threats to Plastic Surgery Practices
The FBI has issued a critical advisory highlighting an increase in cyber threats specifically targeting plastic surgery practices, their surgeons, and patients. The threat actors follow a meticulous three-phase strategy, starting with data harvesting using malware deployed via spoofed emails or phone numbers. The harvested data includes sensitive medical records, personally identifiable information, and sometimes sensitive photographs.
The Ukrainian Cyber Alliance Brings Down Leak Site for Trigona Ransomware
The Ukrainian Cyber Alliance (UCA), a collective of pro-Ukraine hacktivists, has successfully taken down the leak site of the Trigona ransomware group, dealing a significant blow to their operations. In a comprehensive campaign, the UCA managed to wipe out Trigona's servers, deface their website, and secure critical data related to their illicit activities. The spokesperson for the hacktivist group, known as "herm1t," shared details of the operation on Facebook and the X platform, revealing that the UCA's actions had effectively dismantled Trigona's entire infrastructure.
Ongoing Peril: WinRAR Vulnerability Persists Despite Patch
The WinRAR vulnerability, CVE-2023-38831, initially spotlighted by Group-IB on August 23rd, 2023, continues to be a substantial cybersecurity concern. Though a patch was promptly released in August 2023, threat actors, including state-backed groups, persist in exploiting this vulnerability, signaling an extensive and ongoing threat vector. Reports indicate that exploitation attempts date back to April 2023, underscoring the persistent nature of this threat.
Exposed Jupyter Notebooks Under Threat of "Qubitstrike" Cryptojacking Campaign
Cado Security’s Matt Muir has spotlighted a threatening cryptojacking campaign named "Qubitstrike", specifically targeting exposed Jupyter Notebooks. This campaign utilizes a variety of malicious tools, including scripts for credential theft, Linux rootkits, and the notorious XMRig coinminer. The threat actors cleverly manipulate the Codeberg platform to stage their scripts, aiming to snatch credential files of widely-used cloud services such as AWS and Google Cloud, and exfiltrate them via the Telegram Bot API.
OilRig's 8-Month Stay Inside a Middle Eastern Government Network
In a comprehensive investigation, Symantec’s Threat Hunter Team has unveiled the details of an 8-month-long cyber-espionage operation conducted by OilRig (also known as APT34 and Crambus), targeting a government entity in the Middle East. From February to September 2023, the Iranian espionage group executed sophisticated attacks, managing to exfiltrate sensitive data, compromise at least 12 computers, and install backdoors and keyloggers on numerous others. One of the key tools in their arsenal was PowerExchange, a PowerShell backdoor used for monitoring emails and executing commands discreetly.
CVE-2023-38545: A SOCKS Issue sets a High Rated curl Vulnerability
The globally utilized curl library has announced a pressing security advisory concerning a heap buffer overflow vulnerability within its SOCKS5 proxy implementation, CVE-2023-38545. Jay Satiro, a prominent name in the curl community, underscores that the crux of the issue is the handling of hostnames longer than 255 bytes in certain conditions. A crafted scenario presented by Daniel Stenberg, the open-source developer and maintainer of curl, illustrates a potential exploit where an HTTPS server could maliciously redirect a client using libcurl via a SOCKS5 proxy with an excessively long hostname.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
