Lucene search
+L
FireeyeRecent

545 matches found

FireEye
FireEye
added 2021/09/15 1:0 p.m.39 views

ELFant in the Room – capa v3

Since our initial public release of capa, incident responders and reverse engineers have used the tool to automatically identify capabilities in Windows executables. With our newest code and ruleset updates, capa v3 also identifies capabilities in Executable and Linkable Format ELF files, such as...

0.1AI score
Exploits0References10
FireEye
FireEye
added 2021/09/08 2:0 p.m.44 views

Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages, Attempted to Physically Mobilize Protesters in the U.S.

In June 2019, Mandiant Threat Intelligence first reported to customers a pro-People’s Republic of China PRC network of hundreds of inauthentic accounts on Twitter, Facebook, and YouTube, that was at that time primarily focused on discrediting pro-democracy protests in Hong Kong. Since then, the...

6.9AI score
Exploits0References8
FireEye
FireEye
added 2021/09/03 10:0 a.m.749 views

PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers

In August 2021, Mandiant Managed Defense identified and responded to the exploitation of a chain of vulnerabilities known as ProxyShell. The ProxyShell vulnerabilities consist of three CVEs CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 affecting the following versions of on-premises Microsoft...

10CVSS0.6AI score0.99999EPSS
Exploits18References9
FireEye
FireEye
added 2021/09/01 3:30 p.m.55 views

Too Log; Didn't Read — Unknown Actor Using CLFS Log Files for Stealth

The Mandiant Advanced Practices team recently discovered a new malware family we have named PRIVATELOG and its installer, STASHLOG. In this post, we will share a novel and especially interesting technique the samples use to hide data, along with detailed analysis of both files that was performed...

0.2AI score
Exploits0References5
FireEye
FireEye
added 2021/08/18 3:30 p.m.65 views

Detecting Embedded Content in OOXML Documents

On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents—specifically those in the Office Open XML OOXML file format. Additionally, we’re releasing ...

6.5AI score
Exploits0References7
FireEye
FireEye
added 2021/08/17 12:0 p.m.114 views

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices

Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency “CISA” that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020,...

7.6CVSS8.5AI score0.02575EPSS
Exploits1References11
FireEye
FireEye
added 2021/08/12 3:30 p.m.52 views

Announcing the Eighth Annual Flare-On Challenge

The FLARE team is once again hosting its annual Flare-On challenge, now in its eighth year. Take this opportunity to enjoy some extreme social distancing by solving fun puzzles to test your mettle and learn new tricks on your path to reverse engineering excellence. The contest will begin at 8:00...

7.2AI score
Exploits0References1
FireEye
FireEye
added 2021/08/10 3:0 p.m.715 views

UNC215: Spotlight on a Chinese Espionage Campaign in Israel

This blog post details the post-compromise tradecraft and operational tactics, techniques, and procedures TTPs of a Chinese espionage group we track as UNC215. While UNC215’s targets are located throughout the Middle East, Europe, Asia, and North America, this report focuses on intrusion activity...

7.5CVSS0.1AI score0.99913EPSS
Exploits29References8
FireEye
FireEye
added 2021/07/19 12:0 a.m.162 views

capa 2.0: Better, Stronger, Faster

We are excited to announce version 2.0 of our open-source tool called capa. capa automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering. If you haven’t heard of capa before, or need a refresher, check...

6.7AI score
Exploits0References24
FireEye
FireEye
added 2021/06/16 12:0 a.m.204 views

Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise

Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. As...

0.6AI score
Exploits0References5
FireEye
FireEye
added 2021/05/27 12:0 a.m.360 views

Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices

On April 20, 2021, Mandiant published detailed results of our investigations into compromised Pulse Secure devices by suspected Chinese espionage operators. This blog post is intended to provide an update on our findings, give additional recommendations to network defenders, and discuss potential...

7.5CVSS0.4AI score0.47172EPSS
Exploits9References12
FireEye
FireEye
added 2021/05/25 12:0 a.m.215 views

Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises

Attacks on control processes supported by operational technology OT are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat...

1.9AI score
Exploits0References6
FireEye
FireEye
added 2021/05/11 12:0 a.m.134 views

Shining a Light on DARKSIDE Ransomware Operations

Update May 14: Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers, and wou...

7.5CVSS0.1AI score0.40038EPSS
Exploits0References14
FireEye
FireEye
added 2021/05/04 12:0 a.m.88 views

The UNC2529 Triple Double: A Trifecta Phishing Campaign

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded...

7AI score
Exploits0References31
FireEye
FireEye
added 2021/04/29 12:0 a.m.373 views

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the...

7.5CVSS9.5AI score0.40038EPSS
Exploits0References7
FireEye
FireEye
added 2021/04/28 12:0 a.m.134 views

Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity

In July 2020, Mandiant Threat Intelligence released a public report detailing an ongoing influence campaign we named “Ghostwriter.” Ghostwriter is a cyber-enabled influence campaign which primarily targets audiences in Lithuania, Latvia and Poland and promotes narratives critical of the North...

0.1AI score
Exploits0References4
FireEye
FireEye
added 2021/04/27 12:0 a.m.181 views

Abusing Replication: Stealing AD FS Secrets Over the Network

Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. The focus ...

8.1AI score
Exploits0References8
FireEye
FireEye
added 2021/04/20 12:0 a.m.215 views

Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise

In March 2021, Mandiant Managed Defense identified three zero-day vulnerabilities in SonicWall’s Email Security ES product that were being exploited in the wild. These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device. The...

7.5CVSS0.4AI score0.83425EPSS
Exploits0References8
FireEye
FireEye
added 2021/04/20 12:0 a.m.720 views

Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day

Executive Summary Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances. This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and...

7.5CVSS0.2AI score0.83425EPSS
Exploits9References4
FireEye
FireEye
added 2021/04/13 12:0 a.m.22 views

Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure

High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology OT. However, there is a continued perception across critical infrastructure organizations that OT networks are isolated from public networks—such as the Internet. In...

8.1AI score
Exploits0References12
FireEye
FireEye
added 2021/04/13 12:0 a.m.24 views

M-Trends 2021: A View From the Front Lines

We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination of global events. Business operations shifted in response to the worldwide pandemic and threat actors continued to...

0.6AI score
Exploits0References5
FireEye
FireEye
added 2021/03/31 12:0 a.m.392 views

Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service

In this blog post we will describe: How attackers use the Background Intelligent Transfer Service BITS Forensic techniques for detecting attacker activity with data format specifications Public release of the BitsParser tool A real-world example of malware using BITS persistence --- Introduction...

7AI score
Exploits0References5
FireEye
FireEye
added 2021/03/04 12:0 a.m.601 views

Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities

Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint securit...

7.5CVSS9.8AI score0.99999EPSS
Exploits66References10
FireEye
FireEye
added 2021/03/04 12:0 a.m.130 views

New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452

Executive Summary In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository. SUNSHUTTLE is a second-stage backdoor written in GoLang that features some detection evasion capabilities. Mandiant observed SUNSHUTTLE at a victim compromis...

1AI score
Exploits0References2
FireEye
FireEye
added 2021/03/03 12:0 a.m.277 views

Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory

Continuing our discussion of image parsing vulnerabilities in Windows, we take a look at a comparatively less popular vulnerability class: uninitialized memory. In this post, we will look at Windows’ inbuilt image parsers—specifically for vulnerabilities involving the use of uninitialized memory...

4.3CVSS0.5AI score0.0642EPSS
Exploits1References4
FireEye
FireEye
added 2021/02/25 12:0 a.m.231 views

So Unchill: Melting UNC2198 ICEDID to Ransomware Operations

Mandiant Advanced Practices AP closely tracks the shifting tactics, techniques, and procedures TTPs of financially motivated groups who severely disrupt organizations with ransomware. In May 2020, FireEye released a blog post detailing intrusion tradecraft associated with the deployment of MAZE. ...

7.2CVSS9.1AI score0.42524EPSS
Exploits7References12
FireEye
FireEye
added 2021/02/22 12:0 a.m.253 views

Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion

Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance FTA to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting...

10CVSS1AI score0.56411EPSS
Exploits0References10
FireEye
FireEye
added 2021/02/17 12:0 a.m.266 views

Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part Two)

In this post, we continue our analysis of the SolarCity ConnectPort X2e Zigbee device referred to throughout as X2e device. In Part One, we discussed the X2e at a high level, performed initial network-based attacks, then discussed the hardware techniques used to gain a remote shell on the X2e...

7.2CVSS8.6AI score0.01165EPSS
Exploits2References8
FireEye
FireEye
added 2021/02/17 12:0 a.m.228 views

Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part One)

In 2019, Mandiant’s Red Team discovered a series of vulnerabilities present within Digi International’s ConnectPort X2e device, which allows for remote code execution as a privileged user. Specifically, Mandiant’s research focused on SolarCity’s now owned by Tesla rebranded ConnectPort X2e device...

7.2CVSS8.6AI score0.01165EPSS
Exploits2References21
FireEye
FireEye
added 2021/01/26 12:0 a.m.66 views

Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication

FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. These domains were masquerading as authentic websites and stole personal information such as credit card data. The stolen...

6.8AI score
Exploits0References1
FireEye
FireEye
added 2021/01/21 12:0 a.m.60 views

Training Transformers for Cyber Security Tasks: A Case Study on Malicious URL Prediction

Highlights Perform a case study on using Transformer models to solve cyber security problems Train a Transformer model to detect malicious URLs under multiple training regimes Compare our model against other deep learning methods, and show it performs on-par with other top-scoring models Identify...

0.1AI score
Exploits0References13
FireEye
FireEye
added 2021/01/20 12:0 a.m.484 views

Emulation of Kernel Mode Rootkits With Speakeasy

In August 2020, we released a blog post about how the Speakeasy emulation framework can be used to emulate user mode malware such as shellcode. If you haven’t had a chance, give the post a read today. In addition to user mode emulation, Speakeasy also supports emulation of kernel mode Windows...

7.5AI score
Exploits0References2
FireEye
FireEye
added 2021/01/19 12:0 a.m.60 views

Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

UPDATE Oct. 28, 2021: Mandiant has recently observed targeted threat actors using EWS impersonation via the ApplicationImpersonation role to maintain persistent access to mailboxes in victim environments. Once the threat actor has access to this role, its abuse is hard to detect and provides the...

1.6AI score
Exploits0References15
FireEye
FireEye
added 2020/12/24 12:0 a.m.141 views

SUNBURST Additional Technical Details

FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with our blog post about the SolarWinds supply chain compromise, which revealed...

7AI score
Exploits0References7
FireEye
FireEye
added 2020/12/13 12:0 a.m.628 views

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST. The attacker’s post...

0.1AI score
Exploits0References2
FireEye
FireEye
added 2020/12/08 12:0 a.m.183 views

Unauthorized Access of FireEye Red Team Tools

Overview A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of...

Exploits0References2
FireEye
FireEye
added 2020/12/01 12:0 a.m.103 views

Using Speakeasy Emulation Framework Programmatically to Unpack Malware

Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware sandbox of sorts, this entry will highlight another powerful use of the framework: automated malware...

7.1AI score
Exploits0References14
FireEye
FireEye
added 2020/11/22 12:0 a.m.42 views

Election Cyber Threats in the Asia-Pacific Region

In democratic societies, elections are the mechanism for choosing heads of state and policymakers. There are strong incentives for adversary nations to understand the intentions and preferences of the people and parties that will shape a country's future path and to reduce uncertainty about likel...

1AI score
Exploits0References3
FireEye
FireEye
added 2020/11/19 12:0 a.m.390 views

Purgalicious VBA: Macro Obfuscation With VBA Purging

Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss "VBA Purging", a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in Februa...

7.1AI score
Exploits0References16
FireEye
FireEye
added 2020/11/09 12:0 a.m.96 views

WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW Windows on Windows system wa...

1AI score
Exploits0References7
FireEye
FireEye
added 2020/11/04 12:0 a.m.354 views

In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover — CVE-2020-14871

FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer’s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team’s Offensive Task Force analyz...

10CVSS0.3AI score0.79842EPSS
Exploits13References4
FireEye
FireEye
added 2020/11/02 12:0 a.m.891 views

Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945

Through Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise managed service providers and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party...

10CVSS0.4AI score0.99999EPSS
Exploits136References9
FireEye
FireEye
added 2020/10/28 3:30 p.m.192 views

Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine

Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new detection mechanisms and response processes. Access to the appropriate tooling and resources is critic...

0.3AI score
Exploits0References45
FireEye
FireEye
added 2020/10/28 12:0 a.m.258 views

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the...

9.3CVSS1.6AI score0.99512EPSS
Exploits75References9
FireEye
FireEye
added 2020/10/24 12:0 a.m.214 views

Flare-On 7 Challenge Solutions

We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s winners are truly the elite of the elite! Lucky for them, all 260 winners will receive this...

7AI score
Exploits0References18
FireEye
FireEye
added 2020/10/14 12:0 a.m.49 views

FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN or financially motivated threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free. In...

1.3AI score
Exploits0References4
FireEye
FireEye
added 2020/09/30 12:0 a.m.114 views

Detecting Microsoft 365 and Azure Active Directory Backdoors

Mandiant has seen an uptick in incidents involving Microsoft 365 M365 and Azure Active Directory Azure AD. Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of...

2.2AI score
Exploits0References12
FireEye
FireEye
added 2020/09/24 12:0 a.m.37 views

Fuzzing Image Parsing in Windows, Part One: Color Profiles

Image parsing and rendering are basic features of any modern operating system OS. Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, ...

9.3CVSS9.5AI score0.11249EPSS
Exploits0References5
FireEye
FireEye
added 2020/09/14 12:0 a.m.18 views

A "DFUR-ent" Perspective on Threat Modeling and Application Log Forensic Analysis

Many organizations operating in e-commerce, hospitality, healthcare, managed services, and other service industries rely on web applications. And buried within the application logs may be the potential discovery of fraudulent use and/or compromise! But, let's face it, finding evil in application...

7.2AI score
Exploits0References2
FireEye
FireEye
added 2020/08/26 12:0 a.m.42 views

Emulation of Malicious Shellcode With Speakeasy

In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom...

0.7AI score
Exploits0References2
Total number of security vulnerabilities545