We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Mandiant Sees An Increase of USB Infections in 2023
Mandiant researchers have observed a significant rise in USB infections during the first half of 2023, with their metrics indicating a threefold increase. The campaign targets a wide range of industry sectors, including print shops and hotels, and aims to steal data and provide a foothold for future attacks. The malware used in these attacks, SOGU and SNOWYDRIVE, serve to hijack DLLs and establish a foothold in the victim's systems. The attacker's lifecycle includes implementing persistence mechanisms, escalating privileges, conducting reconnaissance, propagating through the network, and exfiltrating sensitive data. The report highlights the importance of cybersecurity vigilance and the urgent need for preventive measures against such attacks.
TeamTNT Scans Relentlessly to Compromise Targets
In a new aggressive cloud campaign, TeamTNT is aiming to expand its botnet by relentlessly scanning the internet for misconfigurations and exposed services on various platforms. AquaSec researchers Ofek Itach and Assaf Morag, having infiltrated the TeamTNT's command and control (C2) server, discovered that the botnet perpetually scans the entirety of the internet, creating at least two new victims per hour. The increased efficiency of TeamTNT's scanning mechanisms, coupled with its extensive toolbox of scripts, poses a significant global threat that underlines the critical importance of proper configuration and security for cloud instances.
Nickelodeon Admits a Data Breach
Nickelodeon, an American television channel owned by Paramount Media Networks, has admitted to a data breach that resulted in approximately 500GB of compromised document and media files from its animation department. Despite reports of the data leak, Nickelodeon claims the breached data is "decades old." Investigations into the incident are ongoing, and the company has assured the public that the files do not appear to be from a recent system breach. The breach emphasizes the importance of stringent data security measures in the entertainment and media industry.
Major Japanese Port Resume Operations
The Port of Nagoya, one of the largest ports in Japan, has resumed operations after a significant ransomware attack on July 4th, 2023. The attack, linked to the LockBit 3.0 ransomware gang, resulted in major disruptions in cargo handling due to system failures. Despite the delays in restoring operations due to the need for extensive backup data inspections, the port managed to recover without paying a ransom. The incident underscores the vulnerability of vital trading infrastructure to cyber threats.
An Escalated Campaign with Manic Menagerie 2.0
The 'Manic Menagerie 2.0' threat campaign, an evolution of the original Manic Menagerie, aims to compromise web resources and deploy coin miners for financial gain. It targets web hosting and IT providers mainly in the United States and European Union. The threat actors exploit various vulnerabilities in web applications and IIS servers, deploying web shells to establish a foothold. During the second wave of attacks in 2022, they focused on deploying web shells at scale using a custom tool, strengthening their foothold and hiding web shells in nested folders. The threat actors also escalate privileges, add persistence mechanisms, and use various tools, such as RunasCs, PCHunter, and others, for these operations.
Microsoft Studies BlackBytes' Operations
Microsoft's Incident Response team has studied the operations of BlackByte 2.0, revealing a systematic five-day intrusion process. The attacks start with the exploitation of ProxyShell vulnerabilities, followed by remote command execution and system persistence establishment. BlackByte then uses tools like AdFind and NetScan for network enumeration and likely Mimikatz for credential theft. The group leverages stolen credentials to move laterally using RDP and PowerShell. An ExByte executable is deployed, which is specifically crafted for each victim, to collect and exfiltrate data to MEGA cloud storage service before commencing data encryption.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
