Category: Threat Research

This article has been indexed from Threat Research On April 20, 2021, Mandiant published detailed results of our investigations into compromised Pulse Secure devices by suspected Chinese espionage operators. This blog post is intended to provide an update on our…

Read more →

This article has been indexed from Threat Research Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite…

Read more →

This article has been indexed from Threat Research Update (May 14): Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they…

Read more →

This article has been indexed from Threat Research Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. Like…

Read more →

Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. Like many of their peers, these actors conduct multifaceted…

Read more →

Executive Summary Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances. This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access…

Read more →

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of…

Read more →

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of…

Read more →

Read the original article: UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported…

Read more →

Read the original article: Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity In July 2020, Mandiant Threat Intelligence released a public report detailing an ongoing influence campaign we named “Ghostwriter.” Ghostwriter is a cyber-enabled influence campaign which…

Read more →

Read the original article: Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise In March 2021, Mandiant Managed Defense identified three zero-day vulnerabilities in SonicWall’s Email Security (ES) product that were being exploited in the wild. These vulnerabilities were…

Read more →

Read the original article: Abusing Replication: Stealing AD FS Secrets Over the Network Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased…

Read more →

Read the original article: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day Executive Summary Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances. This blog post examines multiple, related…

Read more →

Read the original article: Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise In March 2021, Mandiant Managed Defense identified three zero-day vulnerabilities in SonicWall’s Email Security (ES) product that were being exploited in the wild. These vulnerabilities were…

Read more →

Read the original article: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day Executive Summary Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances. This blog post examines multiple, related…

Read more →

Read the original article: M-Trends 2021: A View From the Front Lines We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination…

Read more →

Read the original article: Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology (OT). However, there is…

Read more →

Read the original article: M-Trends 2021: A View From the Front Lines We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination…

Read more →

Read the original article: Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology (OT). However, there is…

Read more →

Read the original article: Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service In this blog post we will describe: How attackers use the Background Intelligent Transfer Service (BITS) Forensic techniques for detecting attacker activity with…

Read more →

Read the original article: Monitoring ICS Cyber Operation Tools and Software Exploit Modules To Anticipate Future Threats There has only been a small number of broadly documented cyber attacks targeting operational technologies (OT) / industrial control systems (ICS) over the…

Read more →

Read the original article: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 UPDATE (Mar. 18): Mandiant recently observed targeted threat actors modifying mailbox folder permissions of user mailboxes to maintain persistent access to the targeted users’ email messages.…

Read more →

Read the original article: Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included…

Read more →

Read the original article: Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included…

Read more →

Read the original article: New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 Executive Summary In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository. SUNSHUTTLE is…

Read more →

Read the original article: Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory Continuing our discussion of image parsing vulnerabilities in Windows, we take a look at a comparatively less popular vulnerability class: uninitialized memory. In this post, we will…

Read more →

Read the original article: So Unchill: Melting UNC2198 ICEDID to Ransomware Operations Mandiant Advanced Practices (AP) closely tracks the shifting tactics, techniques, and procedures (TTPs) of financially motivated groups who severely disrupt organizations with ransomware. In May 2020, FireEye released…

Read more →

Read the original article: Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly…

Read more →

Read the original article: Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly…

Read more →

Read the original article: Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators Today, The Mandiant® Intelligence Center™ released an unprecedented report exposing APT1’s multi-year, enterprise-scale computer espionage campaign. APT1 is one of dozens of…

Read more →

Read the original article: Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part One) In 2019, Mandiant’s Red Team discovered a series of vulnerabilities present within Digi International’s ConnectPort X2e device, which allows for remote code…

Read more →

Read the original article: Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part Two) In this post, we continue our analysis of the SolarCity ConnectPort X2e Zigbee device (referred to throughout as X2e device). In Part…

Read more →

Read the original article: Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators Today, The Mandiant® Intelligence Center™ released an unprecedented report exposing APT1’s multi-year, enterprise-scale computer espionage campaign. APT1 is one of dozens of…

Read more →

Read the original article: A Totally Tubular Treatise on TRITON and TriStation Introduction In December 2017, FireEye’s Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques…

Read more →

Read the original article: FLARE VM Update FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many…

Read more →

Read the original article: Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. These domains were…

Read more →

Read the original article: Training Transformers for Cyber Security Tasks: A Case Study on Malicious URL Prediction Highlights        Perform a case study on using Transformer models to solve cyber security problems Train a Transformer model to detect…

Read more →

Read the original article: Emulation of Kernel Mode Rootkits With Speakeasy In August 2020, we released a blog post about how the Speakeasy emulation framework can be used to emulate user mode malware such as shellcode. If you haven’t had…

Read more →

Read the original article: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being tracked as UNC2452. In some, but not all, of the…

Read more →

Read the original article: Excelerating Analysis – Tips and Tricks to Analyze Data with Microsoft Excel Incident response investigations don’t always involve standard host-based artifacts with fully developed parsing and analysis tools. At FireEye Mandiant, we frequently encounter incidents that…

Read more →

Read the original article: SUNBURST Additional Technical Details FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with…

Read more →

Read the original article: SUNBURST Additional Technical Details FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with…

Read more →

Read the original article: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered…

Read more →

Read the original article: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered…

Read more →

Read the original article: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered…

Read more →

Read the original article: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered…

Read more →

Read the original article: Unauthorized Access of FireEye Red Team Tools Overview A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends…

Read more →

Read the original article: Using Speakeasy Emulation Framework Programmatically to Unpack Malware Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware…

Read more →

Read the original article: Election Cyber Threats in the Asia-Pacific Region In democratic societies, elections are the mechanism for choosing heads of state and policymakers. There are strong incentives for adversary nations to understand the intentions and preferences of the…

Read more →

Read the original article: Election Cyber Threats in the Asia-Pacific Region In democratic societies, elections are the mechanism for choosing heads of state and policymakers. There are strong incentives for adversary nations to understand the intentions and preferences of the…

Read more →

Read the original article: WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order…

Read more →

Read the original article: WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order…

Read more →

Read the original article: WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order…

Read more →

Read the original article: Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting…

Read more →

Read the original article: Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 Through Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise managed service providers and…

Read more →

Read the original article: In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover — CVE-2020-14871 FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a…

Read more →

Read the original article: Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 Through Mandiant investigation of intrusions between February 2018 and September 2020, the FLARE Advanced Practices team observed a group we track as…

Read more →

Read the original article: Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment UPDATE (Oct. 30, 2020): We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in…

Read more →

Read the original article: Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting…

Read more →

Read the original article: Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows…

Read more →

Read the original article: Flare-On 7 Challenge Solutions We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s…

Read more →

Read the original article: FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed…

Read more →

Read the original article: FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed…

Read more →

Read the original article: FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed…

Read more →

Read the original article: Detecting Microsoft 365 and Azure Active Directory Backdoors Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email…

Read more →

Read the original article: Fuzzing Image Parsing in Windows, Part One: Color Profiles Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to…

Read more →

Read the original article: APT41: A Dual Espionage and Cyber Crime Operation Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations.…

Read more →

Read the original article: A "DFUR-ent" Perspective on Threat Modeling and Application Log Forensic Analysis Many organizations operating in e-commerce, hospitality, healthcare, managed services, and other service industries rely on web applications. And buried within the application logs may be…

Read more →

Read the original article: Emulation of Malicious Shellcode With Speakeasy In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are…

Read more →

Read the original article: A Hands-On Introduction to Mandiant’s Approach to OT Red Teaming Operational technology (OT) asset owners have historically considered red teaming of OT and industrial control system (ICS) networks to be too risky due to the potential…

Read more →

Read the original article: Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE…

Read more →

Read the original article: Analyzing Dark Crystal RAT, a C# Backdoor The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse…

Read more →

Read the original article: COOKIEJAR: Tracking Adversaries With FireEye Endpoint Security’s Logon Tracker Module During a recent investigation at a telecommunications company led by Mandiant Managed Defense, our team was tasked with rapidly identifying systems that had been accessed by…

Read more →

Read the original article: COOKIEJAR: Tracking Adversaries With FireEye Endpoint Security’s Logon Tracker Module During a recent investigation at a telecommunications company led by Mandiant Managed Defense, our team was tasked with rapidly identifying systems that had been accessed by…

Read more →

Read the original article: Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE…

Read more →

Read the original article: Repurposing Neural Networks to Generate Synthetic Media for Information Operations FireEye’s Data Science and Information Operations Analysis teams released this blog post to coincide with our Black Hat USA 2020 Briefing, which details how open source,…

Read more →

Read the original article: Announcing the Seventh Annual Flare-On Challenge The FireEye Labs Advanced Reverse Engineering (FLARE) team is honored to announce that the popular Flare-On challenge will return for a triumphant seventh year. Ongoing global events proved no match against…

Read more →

Read the original article: Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office…

Read more →

Read the original article: ‘Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part…

Read more →

Read the original article: Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production…

Read more →

Read the original article: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed…

Read more →

Read the original article: It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit When we discover new intrusions, we ask ourselves questions that will help us understand the totality of the activity set. How common…

Read more →

Read the original article: SCANdalous! (External Detection Using Network Scan Data and Automation) Real Quick In case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t get sued. SCANdalous—a.k.a. Scannah…

Read more →

Read the original article: Another Darkleech Campaign Last week got us up close and personal with Darkleech and Blackhole with our external careers web site. The fun didn’t end there, this week we saw a tidal wave of Darkleech activity…

Read more →

Read the original article: Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a…

Read more →

Read the original article: Using Real-Time Events in Investigations To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT),…

Read more →

Read the original article: Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis,…

Read more →

Read the original article: Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill — Intelligence for Vulnerability Management, Part One One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis,…

Read more →

Read the original article: Analyzing Dark Crystal RAT, a C# backdoor The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse…

Read more →

Read the original article: Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously…

Read more →

Read the original article: New Tactics. New Motives. New Services. Every day at Mandiant we respond to some of the largest cyber security incidents around the world. This gives us a front-row seat to witness what works (and what doesn’t)…

Read more →

Read the original article: Rotten Apples: Resurgence In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 (referred to as the…

Read more →

Read the original article: ‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from…

Read more →

Read the original article: Credit Card Data and Other Information Targeted in Netflix Phishing Campaign Introduction Through FireEye’s Email Threat Prevention (ETP) solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal…

Read more →

Read the original article: Feodo – A new botnet on the rise We are seeing a trend where new banking trojans are emerging on the threat landscape very rapidly.  First came Bugat followed by Carberp.  Unfortunately, it is time to…

Read more →

Read the original article: iBackDoor: High-Risk Code Hits iOS Apps Introduction FireEye mobile researchers recently discovered potentially “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store. The affected versions of…

Read more →

Read the original article: Maimed Ramnit Still Lurking in the Shadow Newspapers have the ability to do more than simply keep us current with worldly affairs; we can use them to squash bugs! Yet, as we move from waiting on…

Read more →

Read the original article: Connected Cars: The Open Road for Hackers As vehicles become both increasingly complex and better connected to the Internet, their newfound versatility may be manipulated for malicious purposes. Three of the most concerning potential threats looking…

Read more →

Read the original article: Overload: Critical Lessons from 15 Years of ICS Vulnerabilities In the past several years, a flood of vulnerabilities has hit industrial control systems (ICS) – the technological backbone of electric grids, water supplies, and production lines.…

Read more →

Read the original article: Unique Threats to Operational Technology and Cyber Physical Systems In this latest episode of our Eye on Security podcast, I talk all about the world of operational technology (OT) and cyber physical systems with one of our…

Read more →