We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Major Japanese Port Resume Operations
The Port of Nagoya, one of the largest ports in Japan, has resumed operations after a significant ransomware attack on July 4th, 2023. The attack, linked to the LockBit 3.0 ransomware gang, resulted in major disruptions in cargo handling due to system failures. Despite the delays in restoring operations due to the need for extensive backup data inspections, the port managed to recover without paying a ransom. The incident underscores the vulnerability of vital trading infrastructure to cyber threats.
An Escalated Campaign with Manic Menagerie 2.0
The 'Manic Menagerie 2.0' threat campaign, an evolution of the original Manic Menagerie, aims to compromise web resources and deploy coin miners for financial gain. It targets web hosting and IT providers mainly in the United States and European Union. The threat actors exploit various vulnerabilities in web applications and IIS servers, deploying web shells to establish a foothold. During the second wave of attacks in 2022, they focused on deploying web shells at scale using a custom tool, strengthening their foothold and hiding web shells in nested folders. The threat actors also escalate privileges, add persistence mechanisms, and use various tools, such as RunasCs, PCHunter, and others, for these operations.
Microsoft Studies BlackBytes' Operations
Microsoft's Incident Response team has studied the operations of BlackByte 2.0, revealing a systematic five-day intrusion process. The attacks start with the exploitation of ProxyShell vulnerabilities, followed by remote command execution and system persistence establishment. BlackByte then uses tools like AdFind and NetScan for network enumeration and likely Mimikatz for credential theft. The group leverages stolen credentials to move laterally using RDP and PowerShell. An ExByte executable is deployed, which is specifically crafted for each victim, to collect and exfiltrate data to MEGA cloud storage service before commencing data encryption.
BlackCat Abuses Search Ads with Malicious WinSCP Downloads
The BlackCat ransomware gang is exploiting search ads to trick users into downloading a malicious version of the WinSCP file transfer application. The victims were lured in through a fraudulent tutorial which led them to a compromised WordPress site. Despite gaining high-level administrative privileges, the attackers were prevented from executing their final payload by Trend Micro's intervention. The group's tactics involved an array of tools including Python scripts, batch scripts, AdFind, Cobalt Strike, PowerShell, PowerView, PsExec, BitsAdmin, and AnyDesk.
Killnet Grows & Hones Their Attack Potency
The infamous Russian-linked Killnet threat group has been growing and evolving its attack tactics since 2022. Initially emerging amidst Russia's invasion of Ukraine, the group has been known for executing significant DDoS attacks against targets in Ukraine and its supporters. A recent report from Mandiant reveals that while there is no direct evidence linking Killnet to Russia, the group's operations consistently mirror Russian strategic objectives. Killnet's capabilities have expanded thanks to affiliates like REvil, Zarya Splinters, and notably Anonymous Sudan. With over 500 victims since the beginning of 2023, the threat group has shown no signs of slowing down, targeting numerous industries, mainly technology, social media, and transportation. Following their recent disruptive attack on Microsoft services, it's expected that Killnet will continue to bolster its attack potency.
Novel Attack Techniques from Threat Actor Targeting Middle East and African Government Orgs
Palo Alto's Cortex team uncovers CL-STA-0043, a suspected nation-state threat actor, deploying innovative espionage techniques against Middle East and African government organizations. With an objective of acquiring sensitive political and military data, this actor exhibits broad capabilities, including zero-day exploits and a variety of penetration tools.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
