Lucene search
+L
FireeyeMost viewed

545 matches found

FireEye
FireEye
added 2018/01/17 12:0 p.m.8965 views

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities. Zyklon is a publicly available,...

9.3CVSS8.8AI score0.99945EPSS
Exploits47
FireEye
FireEye
added 2017/12/07 12:0 p.m.4571 views

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber...

9.3CVSS8.7AI score0.99945EPSS
Exploits62
FireEye
FireEye
added 2018/02/20 8:30 a.m.4157 views

APT37 (Reaper): The Overlooked North Korean Actor

On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability CVE-2018-4878 by a suspected North Korean cyber espionage group that we now track as APT37 Reaper. Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and...

9.3CVSS8.8AI score0.93289EPSS
Exploits26
FireEye
FireEye
added 2018/07/10 12:0 p.m.3889 views

Malicious PowerShell Detection via Machine Learning

Introduction Cyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to install backdoors, execute malicious code, and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researcher...

5CVSS8AI score0.99993EPSS
Exploits45
FireEye
FireEye
added 2017/04/11 1:30 p.m.3362 views

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing ...

9.3CVSS8.4AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2018/07/26 10:0 a.m.3087 views

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

Campaign Details In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being...

9.3CVSS1.7AI score0.99945EPSS
Exploits62
FireEye
FireEye
added 2017/09/12 1:0 p.m.2665 views

FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft...

9.3CVSS0.99933EPSS
Exploits40
FireEye
FireEye
added 2016/05/20 2:59 p.m.2457 views

How RTF malware evades static signature-based detection

History Rich Text Format RTF is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities...

9.3CVSS9.2AI score0.99966EPSS
Exploits35
FireEye
FireEye
added 2018/09/06 11:0 a.m.2267 views

Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware

Towards the end of August 2018, FireEye identified a new exploit kit EK that was being served up as part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region. The first instance of the campaign was observed on...

7.6CVSS1AI score0.87639EPSS
Exploits9
FireEye
FireEye
added 2018/04/24 11:0 a.m.1906 views

Metamorfo Campaigns Targeting Brazilian Users

FireEye Labs recently identified several widespread malspam malware spam campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and...

Exploits0
FireEye
FireEye
added 2018/02/15 11:30 a.m.1683 views

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners. CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service WLS Security in Oracle WebLogic Server versions 12.2.1.2.0...

9.3CVSS8.6AI score0.99993EPSS
Exploits100
FireEye
FireEye
added 2018/06/28 12:0 p.m.1659 views

RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique

Introduction Through FireEye Dynamic Threat Intelligence DTI, we observed RIG Exploit Kit EK delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner similar activity has been reported by Trend Micro. Apart from leveraging a...

9.3CVSS8.8AI score0.93165EPSS
Exploits39
FireEye
FireEye
added 2019/06/05 3:0 p.m.1619 views

Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities

FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802. HAWKBALL is a backdoor that attackers can use to collect...

9.3CVSS0.99945EPSS
Exploits36
FireEye
FireEye
added 2020/05/07 12:0 a.m.1533 views

Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity,...

7.6CVSS0.4AI score0.87639EPSS
Exploits9References13
FireEye
FireEye
added 2018/07/18 10:0 a.m.1518 views

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

Introduction Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and...

7.2CVSS0.99993EPSS
Exploits59
FireEye
FireEye
added 2017/06/27 5:30 p.m.1464 views

Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit

UPDATE July 21: FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings. On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to a variant of the Petya ransomware, which we are...

9.3CVSS7.9AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/09/12 1:0 p.m.1375 views

FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft...

9.3CVSS8.7AI score0.99933EPSS
Exploits40
FireEye
FireEye
added 2017/06/06 6:30 p.m.1248 views

Privileges and Credentials: Phished at the Request of Counsel

Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three...

9.3CVSS6.8AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2018/03/16 12:0 a.m.1191 views

Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries

Intrusions Focus on the Engineering and Maritime Sector Since early 2018, FireEye including our FireEye as a Service FaaS, Mandiant Consulting, and iSIGHT Intelligence teams has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to...

9.3CVSS0.1AI score0.99945EPSS
Exploits33
FireEye
FireEye
added 2019/03/04 1:0 p.m.1086 views

APT40: Examining a China-Nexus Espionage Actor

FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China’s naval modernization effort. The group has...

9.3CVSS8.1AI score0.99966EPSS
Exploits85References5
FireEye
FireEye
added 2017/04/12 11:0 a.m.1040 views

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

9.3CVSS8.2AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2018/09/19 10:0 a.m.987 views

Click It Up: Targeting Local Government Payment Portals

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associat...

7.5CVSS0.99993EPSS
Exploits57
FireEye
FireEye
added 2017/05/09 1:0 p.m.961 views

EPS Processing Zero-Days Exploited by Multiple Threat Actors

In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript EPS of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products...

9.3CVSS8.7AI score0.99933EPSS
Exploits57
FireEye
FireEye
added 2016/07/14 4:37 p.m.913 views

Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release

A security researcher recently published source code for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit EK quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in...

10CVSS0.9AI score0.94996EPSS
Exploits55
FireEye
FireEye
added 2017/10/19 4:6 p.m.907 views

Magniber Ransomware Wants to Infect Only the Right People

Introduction Exploit kit EK use has been on the decline since late 2016; however, certain activity remains consistent. The Magnitude Exploit Kit is one such example that continues to affect users, particularly in the APAC region. In Figure 1, which is based on FireEye Dynamic threat Intelligence...

7.6CVSS0.1AI score0.93165EPSS
Exploits10
FireEye
FireEye
added 2020/11/02 12:0 a.m.891 views

Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945

Through Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise managed service providers and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party...

10CVSS0.4AI score0.99999EPSS
Exploits136References9
FireEye
FireEye
added 2017/04/12 11:0 a.m.862 views

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

9.3CVSS8.3AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2015/12/01 8:0 a.m.830 views

China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets

FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat APT group and other researchers refer to as...

9.3CVSS0.3AI score0.99966EPSS
Exploits12
FireEye
FireEye
added 2016/05/20 2:59 p.m.762 views

How RTF malware evades static signature-based detection

History Rich Text Format RTF is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities...

9.3CVSS8.2AI score0.99966EPSS
Exploits35
FireEye
FireEye
added 2017/05/09 1:0 p.m.750 views

EPS Processing Zero-Days Exploited by Multiple Threat Actors

In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript EPS of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products...

9.3CVSS8.5AI score0.99933EPSS
Exploits57
FireEye
FireEye
added 2021/09/03 10:0 a.m.749 views

PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers

In August 2021, Mandiant Managed Defense identified and responded to the exploitation of a chain of vulnerabilities known as ProxyShell. The ProxyShell vulnerabilities consist of three CVEs CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 affecting the following versions of on-premises Microsoft...

10CVSS0.6AI score0.99999EPSS
Exploits18References9
FireEye
FireEye
added 2018/02/02 9:15 p.m.746 views

Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations

On Jan. 31, KISA KrCERT published an advisory about an Adobe Flash zero-day vulnerability CVE-2018-4878 being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation coul...

7.5CVSS8.6AI score0.89618EPSS
Exploits19
FireEye
FireEye
added 2020/04/13 12:0 a.m.723 views

Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two

One of the critical strategic and tactical roles that cyber threat intelligence CTI plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandian...

10CVSS0.5AI score0.99993EPSS
Exploits296References3
FireEye
FireEye
added 2021/04/20 12:0 a.m.720 views

Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day

Executive Summary Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances. This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and...

7.5CVSS0.2AI score0.83425EPSS
Exploits9References4
FireEye
FireEye
added 2017/06/27 5:30 p.m.717 views

Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit

UPDATE July 21: FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings. On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to a variant of the Petya ransomware, which we are...

9.3CVSS8AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2021/08/10 3:0 p.m.715 views

UNC215: Spotlight on a Chinese Espionage Campaign in Israel

This blog post details the post-compromise tradecraft and operational tactics, techniques, and procedures TTPs of a Chinese espionage group we track as UNC215. While UNC215’s targets are located throughout the Middle East, Europe, Asia, and North America, this report focuses on intrusion activity...

7.5CVSS0.1AI score0.99913EPSS
Exploits29References8
FireEye
FireEye
added 2018/08/01 1:0 p.m.686 views

On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation

FIN7’s Innovation Enabled their Success Throughout FireEye’s tracking of FIN7 campaigns, the attackers have attempted to stay ahead of the game and thwart detection, using novel tactics and displaying characteristics of a well-resourced operation. For example, in April 2017, FireEye blogged about...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/04/11 1:30 p.m.685 views

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing ...

9.3CVSS8.6AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2020/03/25 12:0 a.m.654 views

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers,...

10CVSS0.3AI score0.99999EPSS
Exploits100References19
FireEye
FireEye
added 2016/07/14 4:37 p.m.654 views

Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release

A security researcher recently published source code for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit EK quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in...

10CVSS9.6AI score0.94996EPSS
Exploits55
FireEye
FireEye
added 2016/04/13 9:0 a.m.645 views

Ghosts in the Endpoint

We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections. In this study, all the families identified are samples from VirusTotal VT with...

10CVSS9.4AI score0.99344EPSS
Exploits10
FireEye
FireEye
added 2020/04/27 12:30 p.m.630 views

Putting the Model to Work: Enabling Defenders With Vulnerability Intelligence — Intelligence for Vulnerability Management, Part Four

One of the critical strategic and tactical roles that cyber threat intelligence CTI plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandian...

9.3CVSS9.2AI score0.99999EPSS
Exploits60References10
FireEye
FireEye
added 2020/12/13 12:0 a.m.626 views

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST. The attacker’s post...

0.1AI score
Exploits0References2
FireEye
FireEye
added 2021/03/04 12:0 a.m.601 views

Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities

Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint securit...

7.5CVSS9.8AI score0.99999EPSS
Exploits66References10
FireEye
FireEye
added 2017/10/13 5:0 p.m.586 views

2017 Flare-On Challenge Solutions

Another year, another successful Flare-On Challenge. I’d first like to thank our challenge authors for their hard work developing each of the challenges, and also for writing up their solutions: Challenge 1: Dominik Weber @Invalidhandle Challenge 2: Nhan Huynh Challenge 3: Matt Williams...

1.7AI score
Exploits0
FireEye
FireEye
added 2018/01/11 11:45 a.m.579 views

FLARE IDA Pro Script Series: Simplifying Graphs in IDA

Introduction We’re proud to release a new plug-in for IDA Pro users – SimplifyGraph – to help automate creation of groups of nodes in the IDA’s disassembly graph view. Code and binaries are available from the FireEye GitHub repo. Prior to this release we submitted it in the 2017 Hex-Rays plugin...

6.7AI score
Exploits0
FireEye
FireEye
added 2018/06/18 11:45 a.m.559 views

Bring Your Own Land (BYOL) – A Novel Red Teaming Technique

Introduction One of most significant recent developments in sophisticated offensive operations is the use of “Living off the Land” LotL techniques by attackers. These techniques leverage legitimate tools present on the system, such as the PowerShell scripting language, in order to execute attacks...

1.6AI score
Exploits0
FireEye
FireEye
added 2018/04/18 2:0 a.m.548 views

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: Blockchain Infrastructure Use

UPDATE May 31, 2018: A section of the post on commonly used OpenNIC IPs has been removed to avoid any implication that the OpenNIC IPs are inherently malicious, which is not the case. Introduction Cyber criminals have always been attracted to cryptocurrencies because it provides a certain level o...

7.6AI score
Exploits0
FireEye
FireEye
added 2018/06/07 10:0 a.m.529 views

A Totally Tubular Treatise on TRITON and TriStation

Introduction In December 2017, FireEye's Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For bot...

7.8AI score
Exploits0
FireEye
FireEye
added 2018/05/21 11:15 a.m.523 views

Shining a Light on OAuth Abuse with PwnAuth

Introduction Spear phishing attacks are seen as one of the biggest cyber threats to an organization. It only takes one employee to enter their credentials or run some malware for an entire organization to become compromised. As such, companies devote significant resources to preventing credential...

Exploits0
Total number of security vulnerabilities545