Lucene search
+L
FireeyeRecent

545 matches found

FireEye
FireEye
added 2020/08/25 12:0 a.m.16 views

A Hands-On Introduction to Mandiant's Approach to OT Red Teaming

Operational technology OT asset owners have historically considered red teaming of OT and industrial control system ICS networks to be too risky due to the potential for disruptions or adverse impact to production systems. While this mindset has remained largely unchanged for years, Mandiant's...

0.2AI score
Exploits0References4
FireEye
FireEye
added 2020/08/11 5:0 p.m.17 views

COOKIEJAR: Tracking Adversaries With FireEye Endpoint Security’s Logon Tracker Module

During a recent investigation at a telecommunications company led by Mandiant Managed Defense, our team was tasked with rapidly identifying systems that had been accessed by a threat actor using legitimate, but compromised domain credentials. This sometimes-challenging task was made simple becaus...

0.1AI score
Exploits0References4
FireEye
FireEye
added 2020/08/06 12:0 a.m.25 views

Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach

The FireEye Front Line Applied Research & Expertise FLARE Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the la...

0.1AI score
Exploits0References22
FireEye
FireEye
added 2020/08/05 12:0 a.m.20 views

Repurposing Neural Networks to Generate Synthetic Media for Information Operations

FireEye’s Data Science and Information Operations Analysis teams released this blog post to coincide with our Black Hat USA 2020 Briefing, which details how open source, pre-trained neural networks can be leveraged to generate synthetic media for malicious purposes. To summarize our presentation,...

0.6AI score
Exploits0References21
FireEye
FireEye
added 2020/08/04 12:0 a.m.16 views

Announcing the Seventh Annual Flare-On Challenge

The Front Line Applied Research & Expertise FLARE team is honored to announce that the popular Flare-On challenge will return for a triumphant seventh year. Ongoing global events proved no match against our passion for creating challenging and fun puzzles to test and hone the skills of aspiring a...

7.2AI score
Exploits0References1
FireEye
FireEye
added 2020/07/30 12:0 a.m.31 views

Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates

With Business Email Compromises BECs showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 O365 breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC...

6.8AI score
Exploits0References12
FireEye
FireEye
added 2020/07/29 12:0 a.m.39 views

'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests

Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. The operations have primarily targeted audiences in...

2AI score
Exploits0References1
FireEye
FireEye
added 2020/07/20 5:30 p.m.121 views

Unique Threats to Operational Technology and Cyber Physical Systems

In this latest episode of our Eye on Security podcast, I talk all about the world of operational technology OT and cyber physical systems with one of our foremost experts on the topic: Nathan Brubaker, Senior Manager of Analysis for Mandiant Threat Intelligence. Nathan kicked off our chat by...

0.2AI score
Exploits0References5
FireEye
FireEye
added 2020/07/16 12:0 a.m.45 views

capa: Automatically Identify Malware Capabilities

capa is the FLARE team’s newest open-source tool for analyzing malicious programs. Our tool provides a framework for the community to encode, recognize, and share behaviors that we’ve seen in malware. Regardless of your background, when you use capa, you invoke decades of cumulative reverse...

7.4AI score
Exploits0References14
FireEye
FireEye
added 2020/07/15 12:0 a.m.32 views

Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families

Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity directly impacting operational technology OT networks. Some of this research is available in our previous blog posts on industrial post-compromise ransomware and FireEye's...

0.1AI score
Exploits0References3
FireEye
FireEye
added 2020/07/13 12:0 a.m.28 views

SCANdalous! (External Detection Using Network Scan Data and Automation)

Real Quick In case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t get sued. SCANdalous—a.k.a. Scannah Montana a.k.a. Scanny McScanface a.k.a. “Scan I Kick It? Yes You Scan”—had another name before today that, for legal reasons, we’re...

7AI score
Exploits0References10
FireEye
FireEye
added 2020/07/07 6:0 p.m.22 views

Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool

We recently encountered a large obfuscated malware sample that offered several interesting analysis challenges. It used virtualization that prevented us from producing a fully-deobfuscated memory dump for static analysis. Statically analyzing a large virtualized sample can take anywhere from...

Exploits0References4
FireEye
FireEye
added 2020/05/14 12:0 a.m.20 views

Using Real-Time Events in Investigations

To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table MFT, registry hives, and Application Compatibility Cache AppCompat. However, these evidence sources were not designed with...

7.1AI score
Exploits0References12
FireEye
FireEye
added 2020/05/12 12:0 a.m.106 views

Analyzing Dark Crystal RAT, a C# Backdoor

The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently, FLARE worked on a new C variant of Dark Crystal RAT DCRat that the...

7.3AI score
Exploits0References8
FireEye
FireEye
added 2020/05/07 12:0 a.m.1533 views

Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity,...

7.6CVSS0.4AI score0.87639EPSS
Exploits9References13
FireEye
FireEye
added 2020/04/28 12:0 a.m.18 views

Excelerating Analysis, Part 2 — X[LOOKUP] Gon’ Pivot To Ya

In December 2019, we published a blog post on augmenting analysis using Microsoft Excel for various data sets for incident response investigations. As we described, investigations often include custom or proprietary log formats and miscellaneous, non-traditional forensic artifacts. There are, of...

6.5AI score
Exploits0References8
FireEye
FireEye
added 2020/04/27 12:30 p.m.630 views

Putting the Model to Work: Enabling Defenders With Vulnerability Intelligence — Intelligence for Vulnerability Management, Part Four

One of the critical strategic and tactical roles that cyber threat intelligence CTI plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandian...

9.3CVSS9.2AI score0.99999EPSS
Exploits60References10
FireEye
FireEye
added 2020/04/22 12:0 a.m.34 views

Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage

From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China's Ministry...

0.3AI score
Exploits0References3
FireEye
FireEye
added 2020/04/20 12:0 p.m.146 views

Separating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities — Intelligence for Vulnerability Management, Part Three

One of the critical strategic and tactical roles that cyber threat intelligence CTI plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandian...

9CVSS0.9AI score0.99999EPSS
Exploits67References6
FireEye
FireEye
added 2020/04/13 12:0 a.m.723 views

Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two

One of the critical strategic and tactical roles that cyber threat intelligence CTI plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandian...

10CVSS0.5AI score0.99993EPSS
Exploits296References3
FireEye
FireEye
added 2020/04/08 4:15 p.m.10 views

Limited Shifts in the Cyber Threat Landscape Driven by COVID-19

Though COVID-19 has had enormous effects on our society and economy, its effects on the cyber threat landscape remain limited. For the most part, the same actors we have always tracked are behaving in the same manner they did prior to the crisis. There are some new challenges, but they are...

7.1AI score
Exploits0References4
FireEye
FireEye
added 2020/04/07 4:0 p.m.24 views

Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation

This blog post continues the FLARE script series with a discussion of patching IDA Pro database files IDBs to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won’t always successfully execute in a VM. I use IDA Pro’s Bochs integration in...

7.7AI score
Exploits0References7
FireEye
FireEye
added 2020/04/06 12:0 a.m.183 views

Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill — Intelligence for Vulnerability Management, Part One

One of the critical strategic and tactical roles that cyber threat intelligence CTI plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandian...

10CVSS8.9AI score0.93289EPSS
Exploits69References15
FireEye
FireEye
added 2020/04/02 12:0 a.m.18 views

FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG

As developers of the network simulation tool FakeNet-NG, reverse engineers on the FireEye FLARE team, and malware analysis instructors, we get to see how different analysts use FakeNet-NG and the challenges they face. We have learned that FakeNet-NG provides many useful features and solutions of...

Exploits0References8
FireEye
FireEye
added 2020/04/01 12:0 a.m.15 views

Kerberos Tickets on Linux Red Teams

At FireEye Mandiant, we conduct numerous red team engagements within Windows Active Directory environments. Consequently, we frequently encounter Linux systems integrated within Active Directory environments. Compromising an individual domain-joined Linux system can provide useful data on its own...

0.4AI score
Exploits0References10
FireEye
FireEye
added 2020/03/31 12:0 a.m.16 views

It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit

When we discover new intrusions, we ask ourselves questions that will help us understand the totality of the activity set. How common is this activity? Is there anything unique or special about this malware or campaign? What is new and what is old in terms of TTPs or infrastructure? Is this being...

7.1AI score
Exploits0References5
FireEye
FireEye
added 2020/03/27 7:0 p.m.25 views

Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks

Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus...

Exploits0References1
FireEye
FireEye
added 2020/03/25 12:0 a.m.654 views

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers,...

10CVSS0.3AI score0.99999EPSS
Exploits100References19
FireEye
FireEye
added 2020/03/23 12:0 a.m.19 views

Monitoring ICS Cyber Operation Tools and Software Exploit Modules To Anticipate Future Threats

There has only been a small number of broadly documented cyber attacks targeting operational technologies OT / industrial control systems ICS over the last decade. While fewer attacks is clearly a good thing, the lack of an adequate sample size to determine risk thresholds can make it difficult f...

0.1AI score
Exploits0References9
FireEye
FireEye
added 2020/03/17 12:0 a.m.25 views

Six Facts about Address Space Layout Randomization on Windows

Overcoming address space layout randomization ASLR is a precondition of virtually all modern memory corruption vulnerabilities. Breaking ASLR is an area of active research and can get incredibly complicated. This blog post presents some basic facts about ASLR, focusing on the Windows...

0.6AI score
Exploits0References9
FireEye
FireEye
added 2020/03/16 12:0 a.m.16 views

They Come in the Night: Ransomware Deployment Trends

Ransomware is a remote, digital shakedown. It is disruptive and expensive, and it affects all kinds of organizations, from cutting edge space technology firms, to the wool industry, to industrial environments. Infections have forced hospitals to turn away patients and law enforcement to drop case...

1.2AI score
Exploits0References12
FireEye
FireEye
added 2020/03/09 12:0 a.m.20 views

Crescendo: Real Time Event Viewer for macOS

Prior to 2017, researchers couldn’t easily monitor actions performed by a process on macOS and had to resort to coding scripts that produced low level system call data. FireEye released Monitor.app in 2017 that enabled collection of information on macOS at a higher level; at a simplified data set...

6.6AI score
Exploits0References11
FireEye
FireEye
added 2020/02/24 12:0 a.m.29 views

Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE a.k.a. Snake /...

0.5AI score
Exploits0References7
FireEye
FireEye
added 2020/02/20 12:0 a.m.16 views

M-Trends 2020: Insights From the Front Lines

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have come to expect through the years—and more. One of the most exciting takeaways...

0.8AI score
Exploits0References1
FireEye
FireEye
added 2020/02/19 12:0 a.m.16 views

The Missing LNK — Correlating User Search LNK files

Forensic investigators use LNK shortcut files to recover metadata about recently accessed files, including files deleted after the time of access. In a recent investigation, FireEye Mandiant encountered LNK files that indicated an attacker accessed files included in Windows Explorer search result...

6.9AI score
Exploits0References3
FireEye
FireEye
added 2020/02/12 12:30 p.m.13 views

"Distinguished Impersonator" Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests

In May 2019, FireEye Threat Intelligence published a blog post exposing a network of English-language social media accounts that engaged in inauthentic behavior and misrepresentation that we assessed with low confidence was organized in support of Iranian political interests. Personas in that...

0.5AI score
Exploits0References3
FireEye
FireEye
added 2020/02/11 5:0 p.m.12 views

Managed Defense: The Analytical Mindset

When it comes to cyber security managed services or otherwise, you’re ultimately reliant on analyst expertise to keep your environment safe. Products and intelligence are necessary pieces of the security puzzle to generate detection signal and whittle down the alert chaff, but in the end, an...

7.8AI score
Exploits0References1
FireEye
FireEye
added 2020/02/05 12:0 a.m.18 views

STOMP 2 DIS: Brilliance in the (Visual) Basics

Throughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download and deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the United States, though targeting is likely more widespread than...

8AI score
Exploits0References15
FireEye
FireEye
added 2020/01/31 12:0 a.m.50 views

Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D

DLL Abuse Techniques Overview Dynamic-link library DLL side-loading occurs when Windows Side-by-Side WinSxS manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman’s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious...

Exploits0References26
FireEye
FireEye
added 2020/01/24 5:0 p.m.348 views

Nice Try: 501 (Ransomware) Not Implemented

An Ever-Evolving Threat Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers’ swift attempts to exploit thi...

7.5CVSS9.9AI score0.99999EPSS
Exploits48References11
FireEye
FireEye
added 2020/01/16 12:0 a.m.345 views

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor

As noted in Rough Patch: I Promise It'll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the...

7.5CVSS0.1AI score0.99999EPSS
Exploits48References13
FireEye
FireEye
added 2020/01/09 12:0 a.m.18 views

SAIGON, the Mysterious Ursnif Fork

Ursnif aka Gozi/Gozi-ISFB is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified...

0.3AI score
Exploits0References4
FireEye
FireEye
added 2019/12/11 12:0 a.m.32 views

The FireEye Approach to Operational Technology Security

Today FireEye launches the Cyber Physical Threat Intelligence subscription, which provides cyber security professionals with unmatched context, data and actionable analysis on threats and risk to cyber physical systems. In light of this release, we thought it would be helpful to explain FireEye’s...

0.1AI score
Exploits0References5
FireEye
FireEye
added 2019/12/04 12:0 a.m.209 views

Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774)

Attackers have a dirty little secret that is being used to conduct big intrusions. We’ll explain how they're "unpatching" an exploit and then provide new Outlook hardening guidance that is not available elsewhere. Specifically, this blog post covers field-tested automated registry processing for...

6.8CVSS7.9AI score0.59893EPSS
Exploits2References39
FireEye
FireEye
added 2019/12/03 12:0 a.m.14 views

Excelerating Analysis – Tips and Tricks to Analyze Data with Microsoft Excel

Incident response investigations don’t always involve standard host-based artifacts with fully developed parsing and analysis tools. At FireEye Mandiant, we frequently encounter incidents that involve a number of systems and solutions that utilize custom logging or artifact data. Determining what...

7AI score
Exploits0References5
FireEye
FireEye
added 2019/11/25 8:0 p.m.17 views

FIDL: FLARE’s IDA Decompiler Library

IDA Pro and the Hex Rays decompiler are a core part of any toolkit for reverse engineering and vulnerability research. In a previous blog post we discussed how the Hex-Rays API can be used to solve small, well-defined problems commonly seen as part of malware analysis. Having access to a...

6.7AI score
Exploits0References2
FireEye
FireEye
added 2019/11/14 5:0 p.m.13 views

Attention is All They Need: Combatting Social Media Information Operations With Neural Language Models

Information operations have flourished on social media in part because they can be conducted cheaply, are relatively low risk, have immediate global reach, and can exploit the type of viral amplification incentivized by platforms. Using networks of coordinated accounts, social media-driven...

0.1AI score
Exploits0References26
FireEye
FireEye
added 2019/10/31 12:0 a.m.19 views

MESSAGETAP: Who’s Reading Your Text Messages?

FireEye Mandiant recently discovered a new malware family used by APT41 a Chinese APT group that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications networ...

6.7AI score
Exploits0References6
FireEye
FireEye
added 2019/10/29 6:0 p.m.20 views

CertUtil Qualms: They Came to Drop FOMBs

This blog post covers an interesting intrusion attempt that Mandiant Managed Defense thwarted involving the rapid weaponization of a recently disclosed vulnerability combined with the creative use of WMI compiled “.bmf” files and CertUtil for obfuscated execution. This intrusion attempt highlight...

Exploits0References13
FireEye
FireEye
added 2019/10/21 12:0 a.m.36 views

Shikata Ga Nai Encoder Still Going Strong

One of the most popular exploit frameworks in the world is Metasploit. Its vast library of pocket exploits, pluggable payload environment, and simplicity of execution makes it the de facto base platform. Metasploit is used by pentesters, security enthusiasts, script kiddies, and even malicious...

0.1AI score
Exploits0References4
Total number of security vulnerabilities545