We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Linux Distributions on Alert as "Looney Tunables" Vulnerability Threatens Root Access
The Qualys Threat Research Unit unveils "Looney Tunables," a dangerous vulnerability in the GNU C Library affecting several Linux distributions. This flaw, granting potential root privileges, impacts prominent distributions such as Fedora, Ubuntu, and Debian. The ease of exploiting this vulnerability, especially with the recent public disclosure of a functional exploit, intensifies the urgency for patches and heightened security measures.
"AMBERSQUID" Cryptojacking Ops Generates a High Dollar Resource Bill
Sysdig researchers unveil "AMBERSQUID," a cloud-native cryptojacking operation that cunningly uses AWS services to its advantage. Leveraging often-overlooked services like AWS Amplify and Amazon SageMaker, the attackers can potentially generate over $10,000 in daily charges. This sneaky approach, likely orchestrated by Indonesian attackers, bypasses the AWS checks for resource approval, complicating incident responses.
Espionage Campaign 'Operation Jacana' Targets Guyana Government Agency
ESET researcher Fernando Tavella reports an espionage campaign named "Operation Jacana" targeting a Guyana government agency. Originating from a spearphishing email, this operation, likely backed by a China-aligned threat actor, lured targets using contemporary geopolitical events. The emails directed users to a ZIP file, which, when accessed, launched the "DinodasRAT" backdoor malware into the user's system.
Senate Briefing Reveals 60,000 Emails Stolen from Storm-0558 Key Theft
In May 2023, the U.S. State Department experienced a significant data breach, with hacker group Storm-0558 forging Microsoft authentication tokens to access and steal 60,000 emails from 25 department accounts, as reported by Reuters. A majority of the compromised accounts were predominantly involved in Indo-Pacific diplomatic efforts. An earlier revelation from Microsoft pinpointed the origin of the incident to a compromised engineer’s corporate account and an accessible Windows crash dump that inadvertently exposed a signing key due to a race condition. With the email theft impacting sensitive diplomatic communications and revealing a list of departmental email accounts, this breach underscores the criticality of stringent cybersecurity practices and protocols in protecting sensitive government communications from sophisticated threat actors.
Compromised Credentials Facilitated the Breach Against the City of Dallas
In a revealing After-Action Report, the City of Dallas has detailed the timeline and impact of a crippling ransomware attack executed by the Royal gang, beginning covertly on April 7th, 2023, and erupting into a full-blown attack on May 3rd. Utilizing compromised credentials to breach the city's network, the threat actors deployed Cobalt Strike beacons and meticulously exfiltrated around 1.169 TB of data, culminating in a widespread encryption of prioritized servers using legitimate administrative tools.
Chinese Hacker Group Budworm Deploys An Updated Custom Malware - 'SysUpdate'
Budworm, a Chinese APT group also recognized as LuckyMouse and APT27, has sharpened its cyber-espionage arsenal with an upgraded variant of its custom malware, 'SysUpdate,' as revealed by Symantec's Threat Hunter Team. In a recent campaign against a Middle Eastern telecommunications organization and an Asian government agency, Budworm utilized this enhanced SysUpdate backdoor, employing DLL sideloading via a legitimate application (INISafeWebSSO) to skillfully avoid detection while ensuring the execution of its malicious code.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
