Lucene search
+L
FireeyeMost viewed

545 matches found

FireEye
FireEye
added 2020/03/16 12:0 a.m.16 views

They Come in the Night: Ransomware Deployment Trends

Ransomware is a remote, digital shakedown. It is disruptive and expensive, and it affects all kinds of organizations, from cutting edge space technology firms, to the wool industry, to industrial environments. Infections have forced hospitals to turn away patients and law enforcement to drop case...

1.2AI score
Exploits0References12
FireEye
FireEye
added 2020/02/20 12:0 a.m.16 views

M-Trends 2020: Insights From the Front Lines

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have come to expect through the years—and more. One of the most exciting takeaways...

0.8AI score
Exploits0References1
FireEye
FireEye
added 2020/02/19 12:0 a.m.16 views

The Missing LNK — Correlating User Search LNK files

Forensic investigators use LNK shortcut files to recover metadata about recently accessed files, including files deleted after the time of access. In a recent investigation, FireEye Mandiant encountered LNK files that indicated an attacker accessed files included in Windows Explorer search result...

6.9AI score
Exploits0References3
FireEye
FireEye
added 2018/12/12 12:30 p.m.16 views

FLARE Script Series: Automating Objective-C Code Analysis with Emulation

This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x8664, ARM, and...

6.1AI score
Exploits0
FireEye
FireEye
added 2017/10/26 7:0 p.m.16 views

BACKSWING - Pulling a BADRABBIT Out of a Hat

Executive Summary On Oct. 24, 2017, coordinated strategic web compromises started to distribute BADRABBIT ransomware to unwitting users. FireEye appliances detected the download attempts and blocked our user base from infection. During our investigation into the activity, FireEye identified a...

7.4AI score
Exploits0References2
FireEye
FireEye
added 2017/09/11 5:0 p.m.16 views

Why Is North Korea So Interested in Bitcoin?

In 2016 we began observing actors we believe to be North Korean utilizing their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure from previously observed activity of North Korean actors employing cyber espionage for traditiona...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/09/01 11:0 a.m.16 views

Monitoring Windows Console Activity (Part 2)

This is the second of two blogs that discuss the implementation of the Windows console architecture from years past, with a primary focus on the current implementation present on modern versions of Windows. Read our first blog, "Monitoring Windows Console Activity Part 1," for more. Capturing the...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/07/05 3:0 p.m.16 views

Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool

Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...

6.6AI score
Exploits0References3
FireEye
FireEye
added 2017/04/17 12:30 p.m.16 views

Writing a libemu/Unicorn Compatability Layer

In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in...

6.8AI score
Exploits0References1
FireEye
FireEye
added 2017/03/31 10:15 a.m.16 views

Introducing Monitor.app for macOS

UPDATE 2 Oct. 24, 2018: Monitor.app now supports macOS 10.14. UPDATE April 4, 2018: Monitor.app now supports macOS 10.13. As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/03/09 8:0 a.m.16 views

Using the Registry to Discover Unix Systems and Jump Boxes

On red team engagements, Mandiant consultants are often tasked with identifying and obtaining access to critical Unix systems within our client’s environments. The objectives may include obtaining payment card data on point of sale terminals or accessing intellectual property residing on Apple...

6.6AI score
Exploits0
FireEye
FireEye
added 2016/11/30 11:13 p.m.16 views

FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region

In 2012, a suspected Iranian hacker group called the “Cutting Sword of Justice” used malware known as Shamoon – or Disttrack. In mid-November, Mandiant, a FireEye company, responded to the first Shamoon 2.0 incident against an organization located in the Gulf states. Since then, Mandiant has...

0.1AI score
Exploits0
FireEye
FireEye
added 2016/11/30 5:13 p.m.16 views

‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks

FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to b...

6.9AI score
Exploits0References1
FireEye
FireEye
added 2016/11/09 1:0 p.m.16 views

Extending Linux Executable Logging With The Integrity Measurement Architecture

Gaining insight into the files being executed on your system is a great first step towards improved visibility on your endpoints. Taking this a step further, centrally storing logs of file execution data so they can be used for detection and hunting provides an excellent opportunity to find evil ...

7AI score
Exploits0References6
FireEye
FireEye
added 2016/08/23 8:0 a.m.16 views

Unsealing the Deal: Cyber Threats to Mergers and Acquisitions Persist in a Hot Market

Risks Posed by Sensitive Corporate Communications, Broadened Attack Surface In 2015, a record $5 trillion dollars was tied up in mergers and acquisitions M&A deals, according to JP Morgan. So far, mega deals in 2016 include Microsoft’s purchase of LinkedIn, Shire’s acquisition of Baxalta, and...

6.8AI score
Exploits0
FireEye
FireEye
added 2016/07/27 10:0 a.m.16 views

Red Team Tool Roundup

In many cases Red Team tools are not written because someone feels like writing a tool, or wakes up one morning thinking, “I want to write a tool today”. Red Teamers generally identify tedious tasks in their methodology and then create tools that automate these tasks for current and future...

7.8AI score
Exploits0
FireEye
FireEye
added 2016/06/02 12:0 p.m.16 views

IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems

In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering FLARE team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE...

7.4AI score
Exploits0References5
FireEye
FireEye
added 2016/05/22 3:0 a.m.16 views

Targeted Attacks against Banks in the Middle East

Introduction In the first week of May 2016, FireEye’s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our...

7.1AI score
Exploits0
FireEye
FireEye
added 2015/11/04 1:0 p.m.16 views

iBackDoor: High-Risk Code Hits iOS Apps

Introduction FireEye mobile researchers recently discovered potentially “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store. The affected versions of this library embedded functionality in iOS apps that used the library to display...

0.8AI score
Exploits0
FireEye
FireEye
added 2014/06/12 10:0 a.m.16 views

Mergers and Acquisitions: When Two Companies and APT Groups Come Together

With Apple’s purchase of Beats, Pfizer’s failed bids for AstraZeneca, and financial experts pointing to a rally in the M&A market, the last month was a busy one for mergers and acquisitions. Of course, when we first see headlines of a high profile company’s plans for a merger or acquisition, we...

0.7AI score
Exploits0
FireEye
FireEye
added 2013/12/03 5:36 p.m.16 views

Preparing for Managed Security Services

Wade Woolwine Presents at MIRcon® 2013 As a complement to my MIRcon® 2013 presentation titled "Getting the Best Bang for the Buck with Managed Security Providers" and to address some questions I received from the audience, I have prepared a quick summary of my presentation. Many businesses consid...

0.5AI score
Exploits0
FireEye
FireEye
added 2012/10/31 6:36 p.m.16 views

That’s a Wrap! Highlights from MIRcon 2012

Three years ago when we set out to create a conference that would bring together the greatest minds in the information security industry, we could not imagine the overwhelmingly positive response and growth MIRcon™ would receive year after year. Our goal for MIRcon is simple: to inform innovators...

6.8AI score
Exploits0
FireEye
FireEye
added 2020/04/01 12:0 a.m.15 views

Kerberos Tickets on Linux Red Teams

At FireEye Mandiant, we conduct numerous red team engagements within Windows Active Directory environments. Consequently, we frequently encounter Linux systems integrated within Active Directory environments. Compromising an individual domain-joined Linux system can provide useful data on its own...

0.4AI score
Exploits0References10
FireEye
FireEye
added 2018/03/23 3:0 p.m.15 views

SANNY Malware Delivery Method Updated in Recently Observed Attacks

Introduction In the third week of March 2018, through FireEye’s Dynamic Threat Intelligence, FireEye discovered malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide. Each malicious document lure was crafted in regard to relevant regional...

7.7AI score
Exploits0References1
FireEye
FireEye
added 2017/09/19 1:0 a.m.15 views

rVMI: Perform Full System Analysis with Ease

Manual dynamic analysis is an important concept. It enables us to observe the behavior of a sophisticated malware sample or exploit by executing it in a controlled environment. The information gathered through this process is often crucial in gaining a full understanding of a sample. When...

6.6AI score
Exploits0References7
FireEye
FireEye
added 2017/03/09 8:0 a.m.15 views

Using the Registry to Discover Unix Systems and Jump Boxes

On red team engagements, Mandiant consultants are often tasked with identifying and obtaining access to critical Unix systems within our client’s environments. The objectives may include obtaining payment card data on point of sale terminals or accessing intellectual property residing on Apple...

6.7AI score
Exploits0
FireEye
FireEye
added 2017/03/03 8:0 a.m.15 views

AntiVirus Evasion Reconstructed – Veil 3.0

The Veil Framework is a collection of tools designed for use during offensive security testing. When the time calls for it, Mandiant’s Red Team will use the Veil-Framework to help achieve their objective. The most commonly used tool is Veil-Evasion, which can turn an arbitrary script or piece of...

7.1AI score
Exploits0
FireEye
FireEye
added 2016/11/30 12:13 p.m.15 views

‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks

FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to b...

0.4AI score
Exploits0
FireEye
FireEye
added 2016/10/13 8:0 a.m.15 views

Operations of a Brazilian Payment Card Fraud Group

Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyb...

8.5AI score
Exploits0
FireEye
FireEye
added 2016/05/09 2:43 p.m.15 views

Locky Gets Clever!

As discussed in an earlier FireEye blog, we have seen Locky ransomware rise to fame in recent months. Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor. FireEye...

6.9AI score
Exploits0References1
FireEye
FireEye
added 2016/03/25 12:0 p.m.15 views

Surge in Spam Campaign Delivering Locky Ransomware Downloaders

FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike start...

6.9AI score
Exploits0References1
FireEye
FireEye
added 2016/03/11 5:8 p.m.15 views

A Growing Number of Android Malware Families Believed to Have a Common Origin: A Study Based on Binary Code

Introduction On Feb. 19, IBM XForce researchers released an intelligence report 1 stating that the source code for GM Bot was leaked to a crimeware forum in December 2015. GM Bot is a sophisticated Android malware family that emerged in the Russian-speaking cybercrime underground in late 2014. IB...

0.8AI score
Exploits0
FireEye
FireEye
added 2019/12/03 12:0 a.m.14 views

Excelerating Analysis – Tips and Tricks to Analyze Data with Microsoft Excel

Incident response investigations don’t always involve standard host-based artifacts with fully developed parsing and analysis tools. At FireEye Mandiant, we frequently encounter incidents that involve a number of systems and solutions that utilize custom logging or artifact data. Determining what...

7AI score
Exploits0References5
FireEye
FireEye
added 2019/05/28 7:0 p.m.14 views

Network of Social Media Accounts Impersonates U.S. Political Candidates, Leverages U.S. and Israeli Media in Support of Iranian Interests

In August 2018, FireEye Threat Intelligence released a report exposing what we assessed to be an Iranian influence operation leveraging networks of inauthentic news sites and social media accounts aimed at audiences around the world. We identified inauthentic social media accounts posing as...

0.2AI score
Exploits0References16
FireEye
FireEye
added 2019/03/15 4:0 p.m.14 views

Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing

Introduction Malware authors attempt to evade detection by executing their payload without having to write the executable file on the disk. One of the most commonly seen techniques of this "fileless" execution is code injection. Rather than executing the malware directly, attackers inject the...

0.2AI score
Exploits0References2
FireEye
FireEye
added 2018/05/29 5:0 p.m.14 views

Remote Authentication GeoFeasibility Tool - GeoLogonalyzer

Users have long needed to access important resources such as virtual private networks VPNs, web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials t...

7.2AI score
Exploits0References4
FireEye
FireEye
added 2017/05/04 4:30 p.m.14 views

Dridex and Locky Return Via PDF Attachments in Latest Campaigns

Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...

7.3AI score
Exploits0References2
FireEye
FireEye
added 2017/04/17 8:30 a.m.14 views

Writing a libemu/Unicorn Compatability Layer

In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in...

0.1AI score
Exploits0
FireEye
FireEye
added 2017/03/07 9:0 a.m.14 views

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service FaaS identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission SEC filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of...

7AI score
Exploits0
FireEye
FireEye
added 2016/11/16 1:16 p.m.14 views

FireEye Cyber Defense Summit 2016: The Incident Response Track – Technical Details and Solutions that Work

2016 has been a year of significant change to the cyber security landscape. The rapid proliferation of ransomware and the emergence of Internet of Things mass compromise has changed the landscape for responders. Similarly, existing threats have become more brazen, with nation-state actors...

Exploits0
FireEye
FireEye
added 2016/09/29 8:0 a.m.14 views

Vendetta Brothers, Inc. – A Window Into the Business of the Cybercriminal Underground

FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the “Vendetta Brothers.” This enterprising duo uses various strategies to compromise point-of-sale systems, steal payment card information and sell it on their underground marketplace “Vendetta World.” The...

6.6AI score
Exploits0
FireEye
FireEye
added 2016/06/24 1:30 p.m.14 views

Locky is Back Asking for Unpaid Debts

On June 21, 2016, FireEye’s Dynamic Threat Intelligence DTI identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign. As shown in Figure 1, Locky spam activity was uninterrupted until June 1,...

0.3AI score
Exploits0
FireEye
FireEye
added 2016/06/24 1:30 p.m.14 views

Locky is Back Asking for Unpaid Debts

On June 21, 2016, FireEye’s Dynamic Threat Intelligence DTI identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign. As shown in Figure 1, Locky spam activity was uninterrupted until June 1,...

7.2AI score
Exploits0
FireEye
FireEye
added 2016/04/19 3:30 p.m.14 views

MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry

FireEye recently discovered a new variant of a point of sale POS malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payme...

7.1AI score
Exploits0References7
FireEye
FireEye
added 2013/11/19 4:26 p.m.14 views

Critical Infrastructure Beyond the Power Grid

The term "critical infrastructure" has earned its spot on the board of our ongoing game of cyber bingo--right next to "Digital Pearl Harbor," "Cyber 9/11," "SCADA" and "Stuxnet." With "critical infrastructure" thrown about in references to cyber threats nearly every week, we thought it was time f...

7.1AI score
Exploits0
FireEye
FireEye
added 2013/11/06 8:54 p.m.14 views

MIRcon 2013 – Day 1 Highlights

Happy Day 2 of MIRcon®! Yesterday, Mandiant's CEO Kevin Mandia kicked off MIRcon 2013 with a keynote on attacking the security gap, discussing the necessity of information-sharing and his experience witnessing the evolution of cybercrime. From there we moved on to thought-provoking discussions in...

0.6AI score
Exploits0
FireEye
FireEye
added 2020/02/12 12:30 p.m.13 views

"Distinguished Impersonator" Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests

In May 2019, FireEye Threat Intelligence published a blog post exposing a network of English-language social media accounts that engaged in inauthentic behavior and misrepresentation that we assessed with low confidence was organized in support of Iranian political interests. Personas in that...

0.5AI score
Exploits0References3
FireEye
FireEye
added 2019/11/14 5:0 p.m.13 views

Attention is All They Need: Combatting Social Media Information Operations With Neural Language Models

Information operations have flourished on social media in part because they can be conducted cheaply, are relatively low risk, have immediate global reach, and can exploit the type of viral amplification incentivized by platforms. Using networks of coordinated accounts, social media-driven...

0.1AI score
Exploits0References26
FireEye
FireEye
added 2017/10/30 2:0 p.m.13 views

Introducing GoCrack: A Managed Password Cracking Tool

FireEye's Innovation and Custom Engineering ICE team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI Figure 1 shows the dashboard to create, view, and manage...

7AI score
Exploits0References3
FireEye
FireEye
added 2017/10/23 3:15 p.m.13 views

New FakeNet-NG Feature: Content-Based Protocol Detection

I Matthew Haigh recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and...

6.4AI score
Exploits0References2
Total number of security vulnerabilities545