Lucene search
+L
FireeyeMost viewed

545 matches found

FireEye
FireEye
added 2021/05/11 12:0 a.m.133 views

Shining a Light on DARKSIDE Ransomware Operations

Update May 14: Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers, and wou...

7.5CVSS0.1AI score0.40038EPSS
Exploits0References14
FireEye
FireEye
added 2021/03/04 12:0 a.m.130 views

New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452

Executive Summary In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository. SUNSHUTTLE is a second-stage backdoor written in GoLang that features some detection evasion capabilities. Mandiant observed SUNSHUTTLE at a victim compromis...

1AI score
Exploits0References2
FireEye
FireEye
added 2016/03/18 8:30 a.m.129 views

GongDa vs. Korean News

On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit EK, potentially exposing them to malware infection. We will be referring to this site as KNS. GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful...

9.3CVSS1.3AI score0.94996EPSS
Exploits39
FireEye
FireEye
added 2016/03/09 11:0 a.m.127 views

Lessons from Operation RussianDoll

As defensive security controls raise the bar to attack, attackers will employ increasingly sophisticated techniques to complete their mission. Understanding the mechanics and impact of these threats is essential to systematically discover and deflect the coming wave of advanced attacks. Mandiant...

7.2CVSS1.2AI score0.562EPSS
Exploits38
FireEye
FireEye
added 2020/07/20 5:30 p.m.121 views

Unique Threats to Operational Technology and Cyber Physical Systems

In this latest episode of our Eye on Security podcast, I talk all about the world of operational technology OT and cyber physical systems with one of our foremost experts on the topic: Nathan Brubaker, Senior Manager of Analysis for Mandiant Threat Intelligence. Nathan kicked off our chat by...

0.2AI score
Exploits0References5
FireEye
FireEye
added 2017/09/19 4:15 p.m.121 views

Introducing pywintrace: A Python Wrapper for ETW

Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance monitoring tool, it was greatly expanded in Windows Vista to create a lightweight debugging mechanism. The...

6.7AI score
Exploits0
FireEye
FireEye
added 2019/09/03 12:0 a.m.120 views

SharPersist: Windows Persistence Toolkit in C#

Background PowerShell has been used by the offensive community for several years now but recent advances in the defensive security industry are causing offensive toolkits to migrate from PowerShell to reflective C to evade modern security products. Some of these advancements include Script Block...

0.3AI score
Exploits0References5
FireEye
FireEye
added 2017/06/02 9:0 a.m.117 views

Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads

The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...

9.3CVSS9.7AI score0.94996EPSS
Exploits39
FireEye
FireEye
added 2017/01/04 9:2 a.m.116 views

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

7.2CVSS7.7AI score0.24554EPSS
Exploits10
FireEye
FireEye
added 2021/08/17 12:0 p.m.114 views

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices

Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency “CISA” that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020,...

7.6CVSS8.5AI score0.02575EPSS
Exploits1References11
FireEye
FireEye
added 2020/09/30 12:0 a.m.114 views

Detecting Microsoft 365 and Azure Active Directory Backdoors

Mandiant has seen an uptick in incidents involving Microsoft 365 M365 and Azure Active Directory Azure AD. Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of...

2.2AI score
Exploits0References12
FireEye
FireEye
added 2019/08/29 12:0 a.m.110 views

Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware

Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that...

6.2AI score
Exploits0References43
FireEye
FireEye
added 2013/11/07 7:47 p.m.109 views

MIRcon 2013 – Day 2 Highlights

Thanks for another wonderful MIRcon®, everyone! It's been an honor to bring together so many leading minds in cybersecurity, and to foster conversations about what we can all do to safeguard the information and innovationson which so much of us rely on. The second and final day of MIRcon 2013...

6.6AI score
Exploits0
FireEye
FireEye
added 2020/05/12 12:0 a.m.106 views

Analyzing Dark Crystal RAT, a C# Backdoor

The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently, FLARE worked on a new C variant of Dark Crystal RAT DCRat that the...

7.3AI score
Exploits0References8
FireEye
FireEye
added 2017/09/01 11:0 a.m.104 views

Monitoring Windows Console Activity (Part 2)

This is the second of two blogs that discuss the implementation of the Windows console architecture from years past, with a primary focus on the current implementation present on modern versions of Windows. Read our first blog, "Monitoring Windows Console Activity Part 1," for more. Capturing the...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/04/03 8:0 a.m.104 views

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...

0.6AI score
Exploits0
FireEye
FireEye
added 2016/08/22 8:0 a.m.104 views

Embedded Hardware Hacking 101 – The Belkin WeMo Link

Why Embedded Hacking? Devices that are connected to the Internet or run a full operating system are becoming more and more prevalent in today’s society. From devices for locomotives to wireless light switches, the Internet of Things IoT trend is on the rise and here to stay. This has the potentia...

7.4AI score
Exploits0
FireEye
FireEye
added 2020/12/01 12:0 a.m.103 views

Using Speakeasy Emulation Framework Programmatically to Unpack Malware

Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware sandbox of sorts, this entry will highlight another powerful use of the framework: automated malware...

7.1AI score
Exploits0References14
FireEye
FireEye
added 2018/11/14 3:0 p.m.102 views

FLARE VM Update

FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many reverse engineers, malware analysts, and security researchers as their go-to environment for...

7.4AI score
Exploits0
FireEye
FireEye
added 2016/05/11 3:0 p.m.102 views

Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks

In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and execut...

7.2CVSS8.2AI score0.05729EPSS
Exploits0
FireEye
FireEye
added 2016/05/05 8:0 a.m.97 views

Exploiting CVE-2016-2060 on Qualcomm Devices

Mandiant’s Red Team recently discovered a widespread vulnerability affecting Android devices that permits local privilege escalation to the built-in user “radio”, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history. The...

9.3CVSS0.2AI score0.00466EPSS
Exploits0
FireEye
FireEye
added 2020/11/09 12:0 a.m.95 views

WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW Windows on Windows system wa...

1AI score
Exploits0References7
FireEye
FireEye
added 2016/10/13 8:0 a.m.95 views

Operations of a Brazilian Payment Card Fraud Group

Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyb...

8.6AI score
Exploits0
FireEye
FireEye
added 2019/04/05 5:0 p.m.94 views

Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware

Summary Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data. The intent of the intrusion was initially unclear because the customer did not...

10CVSS0.1AI score0.79842EPSS
Exploits13References3
FireEye
FireEye
added 2016/08/22 8:0 a.m.94 views

Embedded Hardware Hacking 101 – The Belkin WeMo Link

Why Embedded Hacking? Devices that are connected to the Internet or run a full operating system are becoming more and more prevalent in today’s society. From devices for locomotives to wireless light switches, the Internet of Things IoT trend is on the rise and here to stay. This has the potentia...

Exploits0
FireEye
FireEye
added 2016/03/22 12:0 p.m.94 views

Wiping Out a Malicious Campaign Abusing Chinese Ad Platform

At FireEye Labs, we have discovered another well-crafted malvertising campaign that uses the ad API of one of the world’s largest search engines: China-based Baidu. The attacker employs a simple HTML redirector instead of shellcode or an exploit in an apparently benign-looking website. This leads...

6.9AI score
Exploits0References1
FireEye
FireEye
added 2017/06/29 12:30 p.m.93 views

Back That App Up: Gaining Root on the Lenovo Vibe

In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should wo...

7.2CVSS7.9AI score0.00165EPSS
Exploits0
FireEye
FireEye
added 2017/07/26 12:31 p.m.92 views

FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine VM to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequentl...

7.1AI score
Exploits0
FireEye
FireEye
added 2016/06/07 8:0 a.m.90 views

Rotten Apples: Apple-like Malicious Phishing Domains

At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...

6.7AI score
Exploits0
FireEye
FireEye
added 2017/03/23 12:0 p.m.89 views

WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell

Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...

7.7AI score
Exploits0
FireEye
FireEye
added 2021/05/04 12:0 a.m.88 views

The UNC2529 Triple Double: A Trifecta Phishing Campaign

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded...

7AI score
Exploits0References31
FireEye
FireEye
added 2019/06/11 3:15 p.m.88 views

Hunting COM Objects (Part Two)

Background As a follow up to Part One in this blog series on COM object hunting, this post will talk about taking the COM object hunting methodology deeper by looking at interesting COM object methods exposed in properties and sub-properties of COM objects. What is a COM Object? According to...

0.7AI score
Exploits0References7
FireEye
FireEye
added 2014/08/01 3:18 p.m.85 views

FLARE IDA Pro Script Series: Automatic Recovery of Constructed Strings in Malware

The FireEye Labs Advanced Reverse Engineering FLARE Team is dedicated to sharing knowledge and tools with the community. We started with the release of the FLARE On Challenge in early July where thousands of reverse engineers and security enthusiasts participated. Stay tuned for a write-up of the...

Exploits0
FireEye
FireEye
added 2017/07/26 12:31 p.m.81 views

FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

UPDATE 2 Nov. 14, 2018: FLARE VM now has a new installation, upgrade, and uninstallation process, and also includes many new tools such as IDA 7.0, radare and YARA. UPDATE April 26, 2018: The web installer method to deploy FLARE VM is now deprecated. Please refer to the README on the FLARE VM...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/06/29 12:30 p.m.79 views

Back That App Up: Gaining Root on the Lenovo Vibe

In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should wo...

7.2CVSS0.00165EPSS
Exploits0
FireEye
FireEye
added 2013/03/04 6:5 p.m.78 views

Redline: Answering Your Questions

Those of you who attended the "Tools of Engagement: Redline™ - We've Got the Tool, If You've Got the Time" webinar last month by David Ross and myself will recall that we ran short on time while answering all of your questions. The webinar covered the latest updates to Redline, Mandiant's free to...

7.2AI score
Exploits0
FireEye
FireEye
added 2016/04/21 5:45 p.m.77 views

PowerShell used for spreading Trojan.Laziok through Google Docs

Introduction Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the...

9.3CVSS8.1AI score0.99966EPSS
Exploits51
FireEye
FireEye
added 2017/01/04 9:2 a.m.75 views

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

7.2CVSS7.8AI score0.24554EPSS
Exploits10
FireEye
FireEye
added 2016/06/07 8:0 a.m.75 views

Rotten Apples: Apple-like Malicious Phishing Domains

At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...

6.5AI score
Exploits0
FireEye
FireEye
added 2017/07/25 5:0 p.m.73 views

HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign

A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...

7.3AI score
Exploits0References2
FireEye
FireEye
added 2019/04/08 4:30 p.m.72 views

Finding Weaknesses Before the Attackers Do

This blog post originally appeared as an article in M-Trends 2019. FireEye Mandiant red team consultants perform objectives-based assessments that emulate real cyber attacks by advanced and nation state attackers across the entire attack lifecycle by blending into environments and observing how...

10CVSS0.9AI score0.79842EPSS
Exploits13References5
FireEye
FireEye
added 2019/09/30 12:0 a.m.71 views

The FireEye OT-CSIO: An Ontology to Understand, Cross-Compare, and Assess Operational Technology Cyber Security Incidents

The FireEye Operational Technology Cyber Security Incident Ontology OT-CSIO While the number of threats to operational technology OT have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology IT networks and the...

Exploits0References14
FireEye
FireEye
added 2019/08/07 12:0 a.m.71 views

Commando VM 2.0: Customization, Containers, and Kali, Oh My!

The Complete Mandiant Offensive Virtual Machine “Commando VM” swept the penetration testing community by storm when it debuted in early 2019 at Black Hat Asia Arsenal. Our 1.0 release made headway featuring more than 140 tools. Well now we are back again for another spectacular release, this time...

0.1AI score
Exploits0References28
FireEye
FireEye
added 2019/09/28 12:0 a.m.70 views

2019 Flare-On Challenge Solutions

We are pleased to announce the conclusion of the sixth annual Flare-On Challenge. The popularity of this event continues to grow and this year we saw a record number of players as well as finishers. We will break down the numbers later in the post, but right now let’s look at the fun stuff: the...

0.2AI score
Exploits0References13
FireEye
FireEye
added 2021/01/26 12:0 a.m.66 views

Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication

FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. These domains were masquerading as authentic websites and stole personal information such as credit card data. The stolen...

6.8AI score
Exploits0References1
FireEye
FireEye
added 2021/08/18 3:30 p.m.65 views

Detecting Embedded Content in OOXML Documents

On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents—specifically those in the Office Open XML OOXML file format. Additionally, we’re releasing ...

6.5AI score
Exploits0References7
FireEye
FireEye
added 2018/02/03 2:15 a.m.65 views

Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations

On Jan. 31, KISA KrCERT published an advisory about an Adobe Flash zero-day vulnerability CVE-2018-4878 being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation coul...

7.5CVSS8.6AI score0.89618EPSS
Exploits19References3
FireEye
FireEye
added 2019/10/10 12:0 a.m.63 views

Staying Hidden on the Endpoint: Evading Detection with Shellcode

True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the system. As modern Endpoint Detection and Response EDR products have matured over the years, the red teams must...

0.1AI score
Exploits0References3
FireEye
FireEye
added 2016/06/20 8:0 p.m.63 views

Red Line Drawn: China Recalculates Its Use of Cyber Espionage

On Sept. 25, 2015, President Barack Obama and Chinese President Xi Jinping agreed that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” for an economic advantage. Some observers hailed the agreement as a game changer for U.S. and Chinese...

6.9AI score
Exploits0
FireEye
FireEye
added 2012/12/31 4:6 p.m.62 views

A Look Back at 2012: The Armory

As we are mere hours away from celebrating 2013, we'd like to focus today on M-Unition's Armory channel. The Armory is the place to be if you want to be the first to find out about the latest releases, free tools and of course, our ever popular M-Trends report. The most popular posts in this...

0.3AI score
Exploits0
Total number of security vulnerabilities545