545 matches found
ELFant in the Room – capa v3
Since our initial public release of capa, incident responders and reverse engineers have used the tool to automatically identify capabilities in Windows executables. With our newest code and ruleset updates, capa v3 also identifies capabilities in Executable and Linkable Format ELF files, such as...
Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages, Attempted to Physically Mobilize Protesters in the U.S.
In June 2019, Mandiant Threat Intelligence first reported to customers a pro-People’s Republic of China PRC network of hundreds of inauthentic accounts on Twitter, Facebook, and YouTube, that was at that time primarily focused on discrediting pro-democracy protests in Hong Kong. Since then, the...
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
In August 2021, Mandiant Managed Defense identified and responded to the exploitation of a chain of vulnerabilities known as ProxyShell. The ProxyShell vulnerabilities consist of three CVEs CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 affecting the following versions of on-premises Microsoft...
Too Log; Didn't Read — Unknown Actor Using CLFS Log Files for Stealth
The Mandiant Advanced Practices team recently discovered a new malware family we have named PRIVATELOG and its installer, STASHLOG. In this post, we will share a novel and especially interesting technique the samples use to hide data, along with detailed analysis of both files that was performed...
Detecting Embedded Content in OOXML Documents
On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents—specifically those in the Office Open XML OOXML file format. Additionally, we’re releasing ...
Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices
Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency “CISA” that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020,...
Announcing the Eighth Annual Flare-On Challenge
The FLARE team is once again hosting its annual Flare-On challenge, now in its eighth year. Take this opportunity to enjoy some extreme social distancing by solving fun puzzles to test your mettle and learn new tricks on your path to reverse engineering excellence. The contest will begin at 8:00...
UNC215: Spotlight on a Chinese Espionage Campaign in Israel
This blog post details the post-compromise tradecraft and operational tactics, techniques, and procedures TTPs of a Chinese espionage group we track as UNC215. While UNC215’s targets are located throughout the Middle East, Europe, Asia, and North America, this report focuses on intrusion activity...
capa 2.0: Better, Stronger, Faster
We are excited to announce version 2.0 of our open-source tool called capa. capa automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering. If you haven’t heard of capa before, or need a refresher, check...
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. As...
Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices
On April 20, 2021, Mandiant published detailed results of our investigations into compromised Pulse Secure devices by suspected Chinese espionage operators. This blog post is intended to provide an update on our findings, give additional recommendations to network defenders, and discuss potential...
Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises
Attacks on control processes supported by operational technology OT are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat...
Shining a Light on DARKSIDE Ransomware Operations
Update May 14: Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers, and wou...
The UNC2529 Triple Double: A Trifecta Phishing Campaign
In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded...
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the...
Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity
In July 2020, Mandiant Threat Intelligence released a public report detailing an ongoing influence campaign we named “Ghostwriter.” Ghostwriter is a cyber-enabled influence campaign which primarily targets audiences in Lithuania, Latvia and Poland and promotes narratives critical of the North...
Abusing Replication: Stealing AD FS Secrets Over the Network
Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. The focus ...
Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise
In March 2021, Mandiant Managed Defense identified three zero-day vulnerabilities in SonicWall’s Email Security ES product that were being exploited in the wild. These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device. The...
Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Executive Summary Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances. This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and...
M-Trends 2021: A View From the Front Lines
We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination of global events. Business operations shifted in response to the worldwide pandemic and threat actors continued to...
Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure
High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology OT. However, there is a continued perception across critical infrastructure organizations that OT networks are isolated from public networks—such as the Internet. In...
Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
In this blog post we will describe: How attackers use the Background Intelligent Transfer Service BITS Forensic techniques for detecting attacker activity with data format specifications Public release of the BitsParser tool A real-world example of malware using BITS persistence --- Introduction...
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint securit...
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
Executive Summary In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository. SUNSHUTTLE is a second-stage backdoor written in GoLang that features some detection evasion capabilities. Mandiant observed SUNSHUTTLE at a victim compromis...
Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory
Continuing our discussion of image parsing vulnerabilities in Windows, we take a look at a comparatively less popular vulnerability class: uninitialized memory. In this post, we will look at Windows’ inbuilt image parsers—specifically for vulnerabilities involving the use of uninitialized memory...
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Mandiant Advanced Practices AP closely tracks the shifting tactics, techniques, and procedures TTPs of financially motivated groups who severely disrupt organizations with ransomware. In May 2020, FireEye released a blog post detailing intrusion tradecraft associated with the deployment of MAZE. ...
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance FTA to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting...
Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part Two)
In this post, we continue our analysis of the SolarCity ConnectPort X2e Zigbee device referred to throughout as X2e device. In Part One, we discussed the X2e at a high level, performed initial network-based attacks, then discussed the hardware techniques used to gain a remote shell on the X2e...
Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part One)
In 2019, Mandiant’s Red Team discovered a series of vulnerabilities present within Digi International’s ConnectPort X2e device, which allows for remote code execution as a privileged user. Specifically, Mandiant’s research focused on SolarCity’s now owned by Tesla rebranded ConnectPort X2e device...
Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication
FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. These domains were masquerading as authentic websites and stole personal information such as credit card data. The stolen...
Training Transformers for Cyber Security Tasks: A Case Study on Malicious URL Prediction
Highlights Perform a case study on using Transformer models to solve cyber security problems Train a Transformer model to detect malicious URLs under multiple training regimes Compare our model against other deep learning methods, and show it performs on-par with other top-scoring models Identify...
Emulation of Kernel Mode Rootkits With Speakeasy
In August 2020, we released a blog post about how the Speakeasy emulation framework can be used to emulate user mode malware such as shellcode. If you haven’t had a chance, give the post a read today. In addition to user mode emulation, Speakeasy also supports emulation of kernel mode Windows...
Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
UPDATE Oct. 28, 2021: Mandiant has recently observed targeted threat actors using EWS impersonation via the ApplicationImpersonation role to maintain persistent access to mailboxes in victim environments. Once the threat actor has access to this role, its abuse is hard to detect and provides the...
SUNBURST Additional Technical Details
FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with our blog post about the SolarWinds supply chain compromise, which revealed...
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST. The attacker’s post...
Unauthorized Access of FireEye Red Team Tools
Overview A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of...
Using Speakeasy Emulation Framework Programmatically to Unpack Malware
Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware sandbox of sorts, this entry will highlight another powerful use of the framework: automated malware...
Election Cyber Threats in the Asia-Pacific Region
In democratic societies, elections are the mechanism for choosing heads of state and policymakers. There are strong incentives for adversary nations to understand the intentions and preferences of the people and parties that will shape a country's future path and to reduce uncertainty about likel...
Purgalicious VBA: Macro Obfuscation With VBA Purging
Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss "VBA Purging", a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in Februa...
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques
Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW Windows on Windows system wa...
In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover — CVE-2020-14871
FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer’s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team’s Offensive Task Force analyz...
Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945
Through Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise managed service providers and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party...
Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine
Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new detection mechanisms and response processes. Access to the appropriate tooling and resources is critic...
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the...
Flare-On 7 Challenge Solutions
We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s winners are truly the elite of the elite! Lucky for them, all 260 winners will receive this...
FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft
Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN or financially motivated threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free. In...
Detecting Microsoft 365 and Azure Active Directory Backdoors
Mandiant has seen an uptick in incidents involving Microsoft 365 M365 and Azure Active Directory Azure AD. Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of...
Fuzzing Image Parsing in Windows, Part One: Color Profiles
Image parsing and rendering are basic features of any modern operating system OS. Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, ...
A "DFUR-ent" Perspective on Threat Modeling and Application Log Forensic Analysis
Many organizations operating in e-commerce, hospitality, healthcare, managed services, and other service industries rely on web applications. And buried within the application logs may be the potential discovery of fraudulent use and/or compromise! But, let's face it, finding evil in application...
Emulation of Malicious Shellcode With Speakeasy
In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom...