Lucene search
+L
FireeyeMost viewed

545 matches found

FireEye
FireEye
added 2018/04/05 11:0 a.m.523 views

Fake Software Update Abuses NetSupport Remote Access Tool

Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool RAT. NetSupport Manager is a commercially available RAT that can be used legitimately by system...

0.4AI score
Exploits0
FireEye
FireEye
added 2018/09/13 12:0 p.m.522 views

APT10 Targeting Japanese Corporations Using Updated TTPs

Introduction In July 2018, FireEye devices detected and blocked what appears to be APT10 Menupass activity targeting the Japanese media sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they have a history of targeting Japanese entities. In this campaign, t...

8AI score
Exploits0
FireEye
FireEye
added 2018/03/23 11:0 a.m.520 views

SANNY Malware Delivery Method Updated in Recently Observed Attacks

Introduction In the third week of March 2018, through FireEye’s Dynamic Threat Intelligence, FireEye discovered malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide. Each malicious document lure was crafted in regard to relevant regional...

7.9AI score
Exploits0
FireEye
FireEye
added 2018/03/22 11:45 p.m.520 views

DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques

Skilled attackers continually seek out new attack vectors, while employing evasion techniques to maintain the effectiveness of old vectors, in an ever-changing defensive landscape. Many of these threat actors employ obfuscation frameworks for common scripting languages such as JavaScript and...

0.3AI score
Exploits0
FireEye
FireEye
added 2018/03/13 12:15 p.m.516 views

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

Introduction From January 2018 to March 2018, through FireEye’s Dynamic Threat Intelligence, we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. We attribute this activity t...

7.8AI score
Exploits0
FireEye
FireEye
added 2018/04/23 11:0 a.m.513 views

Loading Kernel Shellcode

In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around...

7.8AI score
Exploits0
FireEye
FireEye
added 2017/12/14 10:0 a.m.513 views

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

Introduction Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate...

7.3AI score
Exploits0
FireEye
FireEye
added 2018/04/10 11:0 a.m.512 views

Solving Ad-hoc Problems with Hex-Rays API

Introduction IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled a...

6.4AI score
Exploits0
FireEye
FireEye
added 2017/10/26 3:0 p.m.509 views

BACKSWING - Pulling a BADRABBIT Out of a Hat

Executive Summary On Oct. 24, 2017, coordinated strategic web compromises started to distribute BADRABBIT ransomware to unwitting users. FireEye appliances detected the download attempts and blocked our user base from infection. During our investigation into the activity, FireEye identified a...

Exploits0
FireEye
FireEye
added 2015/12/16 8:0 a.m.508 views

The EPS Awakens

On September 8, FireEye published details about an attack exploiting zero day vulnerabilities in Microsoft Office CVE-2015-2545 and Windows CVE-2015-2546. The attack was particularly notable because it leveraged PostScript to drive memory corruption in a way that had never been seen before. The...

9.3CVSS8.4AI score0.86053EPSS
Exploits40
FireEye
FireEye
added 2017/11/28 2:0 p.m.506 views

Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection

Introduction TLS Thread Local Storage callbacks are provided by the Windows operating system to support additional initialization and termination for per-thread data structures. As previously reported, malicious TLS callbacks, as an anti-analysis trick, have been observed for quite some time and...

7.5AI score
Exploits0
FireEye
FireEye
added 2018/07/10 8:0 p.m.505 views

Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally

Introduction FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with...

0.3AI score
Exploits0
FireEye
FireEye
added 2018/08/15 11:30 a.m.503 views

Announcing the Fifth Annual Flare-On Challenge

The FireEye Labs Advanced Reverse Engineering FLARE team’s annual reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24, 2018. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. So dust off your disassembler, pu...

0.1AI score
Exploits0
FireEye
FireEye
added 2017/10/30 10:0 a.m.502 views

Introducing GoCrack: A Managed Password Cracking Tool

FireEye's Innovation and Custom Engineering ICE team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI Figure 1 shows the dashboard to create, view, and manage...

1.2AI score
Exploits0
FireEye
FireEye
added 2018/08/08 10:45 a.m.498 views

BIOS Boots What? Finding Evil in Boot Code at Scale!

The second issue is that reverse engineering all boot records is impractical. Given the job of determining if a single system is infected with a bootkit, a malware analyst could acquire a disk image and then reverse engineer the boot bytes to determine if anything malicious is present in the boot...

6.8AI score
Exploits0
FireEye
FireEye
added 2018/05/04 11:0 a.m.498 views

Rooting a Logitech Harmony Hub: Improving Security in Today's IoT World

Introduction FireEye’s Mandiant Red Team recently discovered vulnerabilities present on the Logitech Harmony Hub Internet of Things IoT device that could potentially be exploited, resulting in root access to the device via SSH. The Harmony Hub is a home control system designed to connect to and...

7.4AI score
Exploits0
FireEye
FireEye
added 2018/04/04 7:0 a.m.498 views

M-Trends 2018

What have incident responders observed and learned from cyber attacks in 2017? Just as in prior years, we have continued to see the cyber security threat landscape evolve. Over the past twelve months we have observed a number of new trends and changes to attacks, but we have also seen how certain...

0.2AI score
Exploits0
FireEye
FireEye
added 2018/04/26 12:15 p.m.497 views

Establishing a Baseline for Remote Desktop Protocol

For IT staff and Windows power users, Microsoft Terminal Services Remote Desktop Protocol RDP is a beneficial tool that allows for the interactive.aspx use or administration of a remote Windows system. However, Mandiant consultants have also observed threat actors using RDP, with compromised doma...

0.3AI score
Exploits0
FireEye
FireEye
added 2018/06/05 12:30 p.m.496 views

Reverse Engineering the Analyst: Building Machine Learning Models for the SOC

Many cyber incidents can be traced back to an original alert that was either missed or ignored by the Security Operations Center SOC or Incident Response IR team. While most analysts and SOCs are vigilant and responsive, the fact is they are often overwhelmed with alerts. If a SOC is unable to...

7AI score
Exploits0
FireEye
FireEye
added 2018/09/20 12:30 p.m.495 views

Increased Use of a Delphi Packer to Evade Malware Classification

Introduction The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools. Evasion of classification and detection is an arms race in which new techniques are traded and used in the wild...

7.5AI score
Exploits0
FireEye
FireEye
added 2018/01/04 11:30 a.m.494 views

Debugging Complex Malware that Executes Code on the Heap

Introduction In this blog, I will share a simple debugging tactic for creating “save points” during iterative remote debugging of complex multi-stage samples that execute code in heap memory at non-deterministic addresses. I’ll share two examples: one contrived, and the other a complex, modular...

7.4AI score
Exploits0
FireEye
FireEye
added 2017/10/23 11:15 a.m.494 views

New FakeNet-NG Feature: Content-Based Protocol Detection

I Matthew Haigh recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and...

0.1AI score
Exploits0
FireEye
FireEye
added 2018/05/14 9:0 a.m.492 views

A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan

As discussed in previous blogs, exploit kit activity has been on the decline since the latter half of 2016. However, we do still periodically observe significant developments in this space, and we have been observing interesting ongoing activity involving RIG Exploit Kit EK. Although the volume o...

Exploits0
FireEye
FireEye
added 2018/02/07 11:45 a.m.491 views

ReelPhish: A Real-Time Two-Factor Phishing Tool

Social Engineering and Two-Factor Authentication Social engineering campaigns are a constant threat to businesses because they target the weakest chain in security: people. A typical attack would capture a victim’s username and password and store it for an attacker to reuse later. Two-Factor...

7.4AI score
Exploits0
FireEye
FireEye
added 2017/10/10 10:30 p.m.489 views

North Korean Actors Spear Phish U.S. Electric Companies

We can confirm that FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean government. This activity was early-stage reconnaissance, and not necessarily indicative of an...

7.3AI score
Exploits0
FireEye
FireEye
added 2018/05/29 1:0 p.m.485 views

Remote Authentication GeoFeasibility Tool - GeoLogonalyzer

Users have long needed to access important resources such as virtual private networks VPNs, web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials t...

7.4AI score
Exploits0
FireEye
FireEye
added 2021/01/20 12:0 a.m.484 views

Emulation of Kernel Mode Rootkits With Speakeasy

In August 2020, we released a blog post about how the Speakeasy emulation framework can be used to emulate user mode malware such as shellcode. If you haven’t had a chance, give the post a read today. In addition to user mode emulation, Speakeasy also supports emulation of kernel mode Windows...

7.5AI score
Exploits0References2
FireEye
FireEye
added 2017/12/04 12:0 p.m.476 views

Recognizing and Avoiding Disassembled Junk

There is a common annoyance that seems to plague every reverse engineer and incident responder at some point in their career: wasting time or energy looking at junk code. Junk code is a sequence of bytes that you have disassembled that are not actual instructions executed as part of a program. In...

6.6AI score
Exploits0
FireEye
FireEye
added 2015/11/13 1:32 p.m.473 views

Top-ranked Advertising Network Leads to Exploit Kit

Threat Overview The online advertisements that people see across a wide range of popular and lesser-known websites can lead to malware infections and other forms of compromise, sometimes without any user interaction whatsoever and without any indicators there is an issue. This emerging threat is...

10CVSS9.7AI score0.99344EPSS
Exploits6
FireEye
FireEye
added 2016/06/03 1:30 a.m.431 views

APT Group Sends Spear Phishing Emails to Indian Government Officials

Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and...

9.3CVSS7.7AI score0.99966EPSS
Exploits12
FireEye
FireEye
added 2018/06/28 4:0 p.m.424 views

RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique

Introduction Through FireEye Dynamic Threat Intelligence DTI, we observed RIG Exploit Kit EK delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner similar activity has been reported by Trend Micro. Apart from leveraging a...

9.3CVSS9.1AI score0.93165EPSS
Exploits39References5
FireEye
FireEye
added 2015/12/01 8:0 a.m.396 views

China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets

FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat APT group and other researchers refer to as...

9.3CVSS0.3AI score0.99966EPSS
Exploits12
FireEye
FireEye
added 2021/03/31 12:0 a.m.392 views

Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service

In this blog post we will describe: How attackers use the Background Intelligent Transfer Service BITS Forensic techniques for detecting attacker activity with data format specifications Public release of the BitsParser tool A real-world example of malware using BITS persistence --- Introduction...

7AI score
Exploits0References5
FireEye
FireEye
added 2017/05/14 6:0 p.m.391 views

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations

Cyber espionage actors, now designated by FireEye as APT32 OceanLotus Group, are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of...

7.2CVSS8.2AI score0.80968EPSS
Exploits24
FireEye
FireEye
added 2020/11/19 12:0 a.m.390 views

Purgalicious VBA: Macro Obfuscation With VBA Purging

Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss "VBA Purging", a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in Februa...

7.1AI score
Exploits0References16
FireEye
FireEye
added 2018/10/03 8:0 a.m.389 views

APT38: Details on New North Korean Regime-Backed Threat Group

Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim...

7.4AI score
Exploits0
FireEye
FireEye
added 2016/06/03 1:30 a.m.387 views

APT Group Sends Spear Phishing Emails to Indian Government Officials

Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and...

9.3CVSS0.2AI score0.99966EPSS
Exploits12
FireEye
FireEye
added 2021/04/29 12:0 a.m.373 views

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the...

7.5CVSS9.5AI score0.40038EPSS
Exploits0References7
FireEye
FireEye
added 2017/05/14 6:0 p.m.370 views

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations

Cyber espionage actors, now designated by FireEye as APT32 OceanLotus Group, are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of...

7.2CVSS8.4AI score0.80968EPSS
Exploits24
FireEye
FireEye
added 2021/05/27 12:0 a.m.360 views

Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices

On April 20, 2021, Mandiant published detailed results of our investigations into compromised Pulse Secure devices by suspected Chinese espionage operators. This blog post is intended to provide an update on our findings, give additional recommendations to network defenders, and discuss potential...

7.5CVSS0.4AI score0.47172EPSS
Exploits9References12
FireEye
FireEye
added 2020/11/04 12:0 a.m.354 views

In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover — CVE-2020-14871

FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer’s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team’s Offensive Task Force analyz...

10CVSS0.3AI score0.79842EPSS
Exploits13References4
FireEye
FireEye
added 2020/01/24 5:0 p.m.348 views

Nice Try: 501 (Ransomware) Not Implemented

An Ever-Evolving Threat Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers’ swift attempts to exploit thi...

7.5CVSS9.9AI score0.99999EPSS
Exploits48References11
FireEye
FireEye
added 2014/07/17 10:0 a.m.346 views

Havex, It’s Down With OPC

FireEye recently analyzed the capabilities of a variant of Havex referred to by FireEye as “Fertger” or “PEACEPIPE”, the first publicized malware reported to actively scan OPC servers used for controlling SCADA Supervisory Control and Data Acquisition devices in critical infrastructure e.g., wate...

6.8AI score
Exploits0
FireEye
FireEye
added 2020/01/16 12:0 a.m.345 views

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor

As noted in Rough Patch: I Promise It'll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the...

7.5CVSS0.1AI score0.99999EPSS
Exploits48References13
FireEye
FireEye
added 2018/01/17 5:0 p.m.344 views

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities. Zyklon is a publicly available,...

9.3CVSS9.2AI score0.99945EPSS
Exploits47References3
FireEye
FireEye
added 2015/12/11 6:53 a.m.343 views

LATENTBOT: Trace Me If You Can

FireEye Labs recently uncovered LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless...

Exploits0
FireEye
FireEye
added 2017/08/22 10:0 a.m.334 views

Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit

Exploit kit EK activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular...

9.3CVSS9AI score0.94996EPSS
Exploits50
FireEye
FireEye
added 2016/04/21 1:45 p.m.316 views

PowerShell used for spreading Trojan.Laziok through Google Docs

Introduction Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the...

9.3CVSS0.7AI score0.99966EPSS
Exploits51
FireEye
FireEye
added 2016/02/23 8:0 a.m.304 views

Using EMET to Disable EMET

UPDATE July 7: This post has been updated in advance of a Black Hat 2016 presentation. Microsoft’s Enhanced Mitigation Experience Toolkit EMET is a project that adds security mitigations to user mode programs beyond those built in to the operating system. It runs inside “protected” programs as a...

10CVSS0.2AI score0.75691EPSS
Exploits17
FireEye
FireEye
added 2017/10/05 10:30 a.m.294 views

Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea

We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution...

7.6AI score
Exploits0
Total number of security vulnerabilities545