Category: Threat Research

Read the original article: Unique Threats to Operational Technology and Cyber Physical Systems In this latest episode of our Eye on Security podcast, I talk all about the world of operational technology (OT) and cyber physical systems with one of our…

Read more →

Read the original article: SCANdalous! (External Detection Using Network Scan Data and Automation) Real Quick In case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t get sued. SCANdalous—a.k.a. Scannah…

Read more →

Read the original article: capa: Automatically Identify Malware Capabilities capa is the FLARE team’s newest open-source tool for analyzing malicious programs. Our tool provides a framework for the community to encode, recognize, and share behaviors that we’ve seen in malware.…

Read more →

Read the original article: Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity…

Read more →

Read the original article: SCANdalous! (External Detection Using Network Scan Data and Automation) Real Quick In case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t get sued. SCANdalous—a.k.a. Scannah…

Read more →

Read the original article: Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool We recently encountered a large obfuscated malware sample that offered several interesting analysis challenges. It used virtualization that prevented us from producing a fully-deobfuscated…

Read more →

Read the original article: Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool We recently encountered a large obfuscated malware sample that offered several interesting analysis challenges. It used virtualization that prevented us from producing a fully-deobfuscated…

Read more →

Read the original article: FLARE IDA Pro Script Series: MSDN Annotations Plugin for Malware Analysis The FireEye Labs Advanced Reverse Engineering (FLARE) Team continues to share knowledge and tools with the community. We started this blog series with a script…

Read more →

Read the original article: FLARE IDA Pro Script Series: MSDN Annotations Plugin for Malware Analysis The FireEye Labs Advanced Reverse Engineering (FLARE) Team continues to share knowledge and tools with the community. We started this blog series with a script…

Read more →

Read the original article: Using Real-Time Events in Investigations To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT),…

Read more →

Read the original article: Analyzing Dark Crystal RAT, a C# backdoor The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse…

Read more →

Read the original article: Analyzing Dark Crystal RAT, a C# backdoor The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse…

Read more →

Read the original article: Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously…

Read more →

Read the original article: Excelerating Analysis, Part 2 — X[LOOKUP] Gon’ Pivot To Ya In December 2019, we published a blog post on augmenting analysis using Microsoft Excel for various data sets for incident response investigations. As we described, investigations…

Read more →

Read the original article: Excelerating Analysis, Part 2 — X[LOOKUP] Gon’ Pivot To Ya In December 2019, we published a blog post on augmenting analysis using Microsoft Excel for various data sets for incident response investigations. As we described, investigations…

Read more →

Read the original article: Putting the Model to Work: Enabling Defenders With Vulnerability Intelligence — Intelligence for Vulnerability Management, Part Four One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis,…

Read more →

Read the original article: Putting the Model to Work: Enabling Defenders With Vulnerability Intelligence — Intelligence for Vulnerability Management, Part Four One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis,…

Read more →

Read the original article: Putting the Model to Work: Enabling Defenders With Vulnerability Intelligence — Intelligence for Vulnerability Management, Part Three One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis,…

Read more →

Read the original article: Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against…

Read more →

Read the original article: Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against…

Read more →

Read the original article: Separating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities — Intelligence for Vulnerability Management, Part Three One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking,…

Read more →

Read the original article: Kerberos Tickets on Linux Red Teams At FireEye Mandiant, we conduct numerous red team engagements within Windows Active Directory environments. Consequently, we frequently encounter Linux systems integrated within Active Directory environments. Compromising an individual domain-joined Linux…

Read more →

Read the original article: Separating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities — Intelligence for Vulnerability Management, Part Three One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking,…

Read more →

Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two   Advertise on IT Security News. Read the complete article: Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for…

Read more →

New Variant of Ploutus ATM Malware Observed in the Wild in Latin America   Advertise on IT Security News. Read the complete article: New Variant of Ploutus ATM Malware Observed in the Wild in Latin America

Read more →

Limited Shifts in the Cyber Threat Landscape Driven by COVID-19   Advertise on IT Security News. Read the complete article: Limited Shifts in the Cyber Threat Landscape Driven by COVID-19

Read more →

Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation   Advertise on IT Security News. Read the complete article: Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation

Read more →

FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG   Advertise on IT Security News. Read the complete article: FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG

Read more →

Kerberos Tickets on Linux Red Teams   Advertise on IT Security News. Read the complete article: Kerberos Tickets on Linux Red Teams

Read more →

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits   Advertise on IT Security News. Read the complete article: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Read more →

It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit   Advertise on IT Security News. Read the complete article: It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit

Read more →

Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such…

Read more →

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits   Advertise on IT Security News. Read the complete article: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Read more →

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits   Advertise on IT Security News. Read the complete article: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Read more →

Six Facts about Address Space Layout Randomization on Windows   Advertise on IT Security News. Read the complete article: Six Facts about Address Space Layout Randomization on Windows

Read more →

Six Facts about Address Space Layout Randomization on Windows   Advertise on IT Security News. Read the complete article: Six Facts about Address Space Layout Randomization on Windows

Read more →

Six Facts about Address Space Layout Randomization on Windows   Advertise on IT Security News. Read the complete article: Six Facts about Address Space Layout Randomization on Windows

Read more →

Monitoring ICS Cyber Operation Tools and Software Exploit Modules To Anticipate Future Threats   Advertise on IT Security News. Read the complete article: Monitoring ICS Cyber Operation Tools and Software Exploit Modules To Anticipate Future Threats

Read more →

Six Facts about Address Space Layout Randomization on Windows   Advertise on IT Security News. Read the complete article: Six Facts about Address Space Layout Randomization on Windows

Read more →

Six Facts about Address Space Layout Randomization on Windows   Advertise on IT Security News. Read the complete article: Six Facts about Address Space Layout Randomization on Windows

Read more →

They Come in the Night: Ransomware Deployment Trends   Advertise on IT Security News. Read the complete article: They Come in the Night: Ransomware Deployment Trends

Read more →

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. Mandiant analyzed a…

Read more →

In 2016 we began observing actors we believe to be North Korean utilizing their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure from previously observed activity of North Korean actors employing…

Read more →

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. Mandiant analyzed a…

Read more →

In 2016 we began observing actors we believe to be North Korean utilizing their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure from previously observed activity of North Korean actors employing…

Read more →

Prior to 2017, researchers couldn’t easily monitor actions performed by a process on macOS and had to resort to coding scripts that produced low level system call data. FireEye released Monitor.app in 2017 that enabled collection of information on macOS…

Read more →

Prior to 2017, researchers couldn’t easily monitor actions performed by a process on macOS and had to resort to coding scripts that produced low level system call data. FireEye released Monitor.app in 2017 that enabled collection of information on macOS…

Read more →

Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT   Advertise on IT Security News. Read the complete article: Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by…

Read more →

What are Deep Neural Networks Learning About Malware?   Advertise on IT Security News. Read the complete article: What are Deep Neural Networks Learning About Malware?

Read more →

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have to expect through the years—and more. One of…

Read more →

The Missing LNK — Correlating User Search LNK files   Advertise on IT Security News. Read the complete article: The Missing LNK — Correlating User Search LNK files

Read more →

"Distinguished Impersonator" Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests   Advertise on IT Security News. Read the complete article: "Distinguished Impersonator" Information Operation That Previously Impersonated…

Read more →

"Distinguished Impersonator" Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests   Advertise on IT Security News. Read the complete article: "Distinguished Impersonator" Information Operation That Previously Impersonated…

Read more →

Managed Defense: The Analytical Mindset   Advertise on IT Security News. Read the complete article: Managed Defense: The Analytical Mindset

Read more →

STOMP 2 DIS: Brilliance in the (Visual) Basics   Advertise on IT Security News. Read the complete article: STOMP 2 DIS: Brilliance in the (Visual) Basics

Read more →

STOMP 2 DIS: Brilliance in the (Visual) Basics   Advertise on IT Security News. Read the complete article: STOMP 2 DIS: Brilliance in the (Visual) Basics

Read more →

Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D   Advertise on IT Security News. Read the complete article: Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D

Read more →

Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware   Advertise on IT Security News. Read the complete article: Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has…

Read more →

Nice Try: 501 (Ransomware) Not Implemented   Advertise on IT Security News. Read the complete article: Nice Try: 501 (Ransomware) Not Implemented

Read more →

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor   Advertise on IT Security News. Read the complete article: 404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor

Read more →

FireEye has identified a suspected influence operation that appears to originate from Iran aimed at audiences in the U.S., U.K., Latin America, and the Middle East. This operation is leveraging a network of inauthentic news sites and clusters of associated…

Read more →

SAIGON, the Mysterious Ursnif Fork   Advertise on IT Security News. Read the complete article: SAIGON, the Mysterious Ursnif Fork

Read more →

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit   Advertise on IT Security News. Read the complete article: New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat…

Read more →

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign   Advertise on IT Security News. Read the complete article: Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

Read more →

Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware   Advertise on IT Security News. Read the complete article: Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has…

Read more →

UPDATE (Jan. 30): Figure 1 has been updated to more accurately reflect APT39 targeting. Specifically, Australia, Norway and South Korea have been removed. In December 2018, FireEye identified APT39 as an Iranian cyber espionage group responsible for widespread theft of…

Read more →