Lucene search
+L
FireeyeMost viewed

545 matches found

FireEye
FireEye
added 2020/07/29 12:0 a.m.39 views

'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests

Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. The operations have primarily targeted audiences in...

2AI score
Exploits0References1
FireEye
FireEye
added 2019/08/08 8:30 p.m.39 views

Finding Evil in Windows 10 Compressed Memory, Part Two: Virtual Store Deep Dive

Introduction This blog post is the second in a three-part series covering our Windows 10 memory forensics research and it coincides with our BlackHat USA 2019 presentation. In Part One of the series, we covered the integration of the research in both Volatily and Rekall memory forensics tools. We...

6.3AI score
Exploits0References6
FireEye
FireEye
added 2017/01/11 11:0 a.m.39 views

APT28: At the Center of the Storm

On Jan. 6, 2017, the U.S. Director of National Intelligence released its Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent US Elections. Still, questions persist about Russian involvement. Did the Russian government direct the group responsible for the...

1.1AI score
Exploits0
FireEye
FireEye
added 2016/12/15 8:0 a.m.39 views

Do You See What I CCM?

SCCM Software Metering Reviewing forensic keyword searches can be confusing because it is often difficult for an analyst to determine the source of the various structures that contain string matches. One such structure belongs to Microsoft's System Center Configuration Manager's SCCM software...

0.3AI score
Exploits0
FireEye
FireEye
added 2019/06/04 12:0 a.m.38 views

Hunting COM Objects

COM objects have recently been used by penetration testers, Red Teams, and malicious actors to perform lateral movement. COM objects were studied by several other researchers in the past, including Matt Nelson enigma0x3, who published a blog post about it in 2017. Some of these COM objects were...

8.1AI score
Exploits0References4
FireEye
FireEye
added 2017/09/01 11:0 a.m.38 views

Monitoring Windows Console Activity (Part 1)

Introduction While performing incident response, Mandiant encounters attackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP such as the command prompt, PowerShell, and sometimes custom command and control C2 console tools...

7.4AI score
Exploits0
FireEye
FireEye
added 2016/03/22 8:0 a.m.38 views

Wiping Out a Malicious Campaign Abusing Chinese Ad Platform

At FireEye Labs, we have discovered another well-crafted malvertising campaign that uses the ad API of one of the world’s largest search engines: China-based Baidu. The attacker employs a simple HTML redirector instead of shellcode or an exploit in an apparently benign-looking website. This leads...

0.4AI score
Exploits0
FireEye
FireEye
added 2020/09/24 12:0 a.m.37 views

Fuzzing Image Parsing in Windows, Part One: Color Profiles

Image parsing and rendering are basic features of any modern operating system OS. Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, ...

9.3CVSS9.5AI score0.11249EPSS
Exploits0References5
FireEye
FireEye
added 2019/09/05 12:0 a.m.37 views

Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment

UPDATE Oct. 30, 2020: We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following...

1.6AI score
Exploits0References2
FireEye
FireEye
added 2017/07/05 11:0 a.m.37 views

Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool

Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...

7.2AI score
Exploits0
FireEye
FireEye
added 2019/10/21 12:0 a.m.36 views

Shikata Ga Nai Encoder Still Going Strong

One of the most popular exploit frameworks in the world is Metasploit. Its vast library of pocket exploits, pluggable payload environment, and simplicity of execution makes it the de facto base platform. Metasploit is used by pentesters, security enthusiasts, script kiddies, and even malicious...

0.1AI score
Exploits0References4
FireEye
FireEye
added 2017/01/11 8:45 p.m.35 views

New Variant of Ploutus ATM Malware Observed in the Wild in Latin America

Introduction Ploutus is one of the most advanced ATM malware families we’ve seen in the last few years. Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had...

Exploits0
FireEye
FireEye
added 2016/09/23 10:30 a.m.35 views

Hancitor (AKA Chanitor) observed using multiple attack approaches

Many threat actors use multiple attack vectors to ensure success. The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims. These techniques include uncommon...

0.5AI score
Exploits0
FireEye
FireEye
added 2016/08/23 8:0 a.m.35 views

Unsealing the Deal: Cyber Threats to Mergers and Acquisitions Persist in a Hot Market

Risks Posed by Sensitive Corporate Communications, Broadened Attack Surface In 2015, a record $5 trillion dollars was tied up in mergers and acquisitions M&A deals, according to JP Morgan. So far, mega deals in 2016 include Microsoft’s purchase of LinkedIn, Shire’s acquisition of Baxalta, and...

0.8AI score
Exploits0
FireEye
FireEye
added 2016/04/04 8:30 a.m.35 views

Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching

Previously On iOS Remote Hot Patching Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be lengthy, which negatively impacts developers who need to quickly patch a buggy or insecure app. As a...

0.7AI score
Exploits0
FireEye
FireEye
added 2020/04/22 12:0 a.m.34 views

Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage

From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China's Ministry...

0.3AI score
Exploits0References3
FireEye
FireEye
added 2019/10/10 12:0 a.m.34 views

Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques

During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and...

7.9AI score
Exploits0References27
FireEye
FireEye
added 2019/08/07 12:0 a.m.34 views

APT41: A Dual Espionage and Cyber Crime Operation

Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages...

7.1AI score
Exploits0References7
FireEye
FireEye
added 2017/04/03 8:0 a.m.34 views

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/02/22 9:45 a.m.34 views

Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government

Introduction FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool RAT that has been used for...

0.8AI score
Exploits0
FireEye
FireEye
added 2018/12/13 12:0 p.m.33 views

What are Deep Neural Networks Learning About Malware?

An increasing number of modern antivirus solutions rely on machine learning ML techniques to protect users from malware. While ML-based approaches, like FireEye Endpoint Security’s MalwareGuard capability, have done a great job at detecting new threats, they also come with substantial development...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/05/23 1:30 p.m.33 views

WannaCry Malware Profile

WannaCry also known as WCry or WanaCryptor malware is a self-propagating worm-like ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block SMB protocol, MS17-010. The WannaCry malware consists of two distinct...

7.6AI score
Exploits0
FireEye
FireEye
added 2017/01/11 11:0 a.m.33 views

APT28: At the Center of the Storm

On Jan. 6, 2017, the U.S. Director of National Intelligence released its Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent US Elections. Still, questions persist about Russian involvement. Did the Russian government direct the group responsible for the...

6.8AI score
Exploits0
FireEye
FireEye
added 2016/08/26 11:45 p.m.33 views

RIPPER ATM Malware and the 12 Million Baht Jackpot

On Aug. 23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before. To add more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post newspaper reported...

6.7AI score
Exploits0
FireEye
FireEye
added 2015/12/11 6:53 a.m.33 views

LATENTBOT: Trace Me If You Can

FireEye Labs recently uncovered LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless...

Exploits0
FireEye
FireEye
added 2020/07/15 12:0 a.m.32 views

Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families

Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity directly impacting operational technology OT networks. Some of this research is available in our previous blog posts on industrial post-compromise ransomware and FireEye's...

0.1AI score
Exploits0References3
FireEye
FireEye
added 2019/12/11 12:0 a.m.32 views

The FireEye Approach to Operational Technology Security

Today FireEye launches the Cyber Physical Threat Intelligence subscription, which provides cyber security professionals with unmatched context, data and actionable analysis on threats and risk to cyber physical systems. In light of this release, we thought it would be helpful to explain FireEye’s...

0.1AI score
Exploits0References5
FireEye
FireEye
added 2019/04/15 3:0 p.m.32 views

FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash

Adobe Flash is one of the most exploited software components of the last decade. Its complexity and ubiquity make it an obvious target for attackers. Public sources list more than one thousand CVEs being assigned to the Flash Player alone since 2005. Almost nine hundred of these vulnerabilities...

7.1AI score
Exploits0References5
FireEye
FireEye
added 2019/03/12 3:0 p.m.32 views

Going ATOMIC: Clustering and Associating Attacker Activity at Scale

At FireEye, we work hard to detect, track, and stop attackers. As part of this work, we learn a great deal of information about how various attackers operate, including details about commonly used malware, infrastructure, delivery mechanisms, and other tools and techniques. This knowledge is buil...

Exploits0References5
FireEye
FireEye
added 2019/01/08 11:0 a.m.32 views

Digging Up the Past: Windows Registry Forensics Revisited

Introduction FireEye consultants frequently utilize Windows registry data when performing forensic analysis of computer networks as part of incident response and compromise assessment missions. This can be useful to discover malicious activity and to determine what data may have been stolen from ...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/07/05 11:0 a.m.32 views

Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool

Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/01/09 11:0 a.m.32 views

Credit Card Data and Other Information Targeted in Netflix Phishing Campaign

Introduction Through FireEye’s Email Threat Prevention ETP solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States. This campaign is interesting because of the evasion...

6.6AI score
Exploits0
FireEye
FireEye
added 2016/01/29 8:0 a.m.32 views

Dridex Botnet Resumes Spam Operations After the Holidays

FireEye Labs observed that Dridex operators were active during the holiday season. However, during the post-Christmas and New Year weeks, we observed a slowdown in their spam campaigns. Interestingly, their breaks were short. Over the past few weeks they have resumed operations and are building...

1.8AI score
Exploits0
FireEye
FireEye
added 2020/07/30 12:0 a.m.31 views

Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates

With Business Email Compromises BECs showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 O365 breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC...

6.8AI score
Exploits0References12
FireEye
FireEye
added 2018/10/11 10:30 a.m.31 views

ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

Introduction FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements ICS Healthcheck performed by Mandiant, FireEye's consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information...

0.8AI score
Exploits0
FireEye
FireEye
added 2017/09/18 9:0 p.m.31 views

rVMI: Perform Full System Analysis with Ease

Manual dynamic analysis is an important concept. It enables us to observe the behavior of a sophisticated malware sample or exploit by executing it in a controlled environment. The information gathered through this process is often crucial in gaining a full understanding of a sample. When...

6.7AI score
Exploits0
FireEye
FireEye
added 2017/04/06 3:0 p.m.31 views

APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat

APT10 Background APT10 MenuPass Group is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these...

0.2AI score
Exploits0
FireEye
FireEye
added 2016/01/26 8:0 a.m.31 views

URLZone Zones in on Japan

Recently we’ve seen an interesting trend from several crimeware families that were mainly active in the European region, and have now expanded their activity to Japan. Rovnix is one such family, as recently reported by IBM X-Force. At the same time, we’ve seen another spam campaign break out in...

7.7AI score
Exploits0
FireEye
FireEye
added 2015/12/14 4:23 p.m.31 views

Uncovering Active PowerShell Data Stealing Campaigns

Loved by administrators, Windows PowerShell enables users to effectively perform automation and administrative tasks on local and remote systems. However, its power, ease of use, and widespread use has also made it attractive to attackers. Researchers first began demonstrating attacks involving...

0.4AI score
Exploits0
FireEye
FireEye
added 2012/10/15 5:54 p.m.31 views

New Mandiant Offering: Response Readiness Assessment

Today, I am pleased to announce the release of Mandiant's newest Strategic Solutions offering: Response Readiness Assessment. In this post, I'll explain what the service provides, why our customer's requested such a service, and who can benefit from the Response Readiness Assessment offering...

2.2AI score
Exploits0
FireEye
FireEye
added 2018/11/20 12:30 p.m.30 views

Cmd and Conquer: De-DOSfuscation with flare-qdb

When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/05/26 11:0 a.m.30 views

SMB Exploited: WannaCry Use of EternalBlue

Server Message Block SMB is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/03/23 12:0 p.m.30 views

WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell

Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...

Exploits0
FireEye
FireEye
added 2016/09/23 10:30 a.m.30 views

Hancitor (AKA Chanitor) observed using multiple attack approaches

Many threat actors use multiple attack vectors to ensure success. The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims. These techniques include uncommon...

7.1AI score
Exploits0
FireEye
FireEye
added 2016/06/28 5:0 a.m.30 views

The Latest Android Overlay Malware Spreading via SMS Phishing in Europe

Introduction In April 2016, while investigating a Smishing campaign dubbed RuMMS that involved the targeting of Android users in Russia, we also noticed three similar Smishing campaigns reportedly spreading in Denmark February 2016, in Italy February 2016, and in both Denmark and Italy April 2016...

7.3AI score
Exploits0
FireEye
FireEye
added 2016/04/19 11:30 a.m.30 views

MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry

FireEye recently discovered a new variant of a point of sale POS malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payme...

0.4AI score
Exploits0
FireEye
FireEye
added 2016/03/15 8:0 a.m.30 views

Citrix XenApp and XenDesktop Hardening Guidance

A Joint Whitepaper from Mandiant and Citrix Throughout the course of Mandiant’s Red Team and Incident Response engagements, we frequently identify a wide array of misconfigured technology solutions, including Citrix XenApp and XenDesktop. We often see attackers leveraging stolen credentials from...

2.9AI score
Exploits0
FireEye
FireEye
added 2016/02/09 7:0 a.m.30 views

FLARE Script Series: flare-dbg Plug-ins

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. In this post, we continue to discuss the flare-dbg project. If you haven’t read my first post on using flare-dbg to automate string decoding, be sure to check it out! We created the flare-dbg Pytho...

7.8AI score
Exploits0
FireEye
FireEye
added 2016/01/27 8:0 a.m.30 views

Hot or Not? The Benefits and Risks of iOS Remote Hot Patching

Introduction Apple has made a significant effort to build and maintain a healthy and clean app ecosystem. The essential contributing component to this status quo is the App Store, which is protected by a thorough vetting process that scrutinizes all submitted applications. While the process is...

6.6AI score
Exploits0
FireEye
FireEye
added 2020/02/24 12:0 a.m.29 views

Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE a.k.a. Snake /...

0.5AI score
Exploits0References7
Total number of security vulnerabilities545