Lucene search
+L
FireeyeRecent

545 matches found

FireEye
FireEye
added 2018/03/16 12:0 a.m.1191 views

Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries

Intrusions Focus on the Engineering and Maritime Sector Since early 2018, FireEye including our FireEye as a Service FaaS, Mandiant Consulting, and iSIGHT Intelligence teams has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to...

9.3CVSS0.1AI score0.99945EPSS
Exploits33
FireEye
FireEye
added 2018/03/13 12:15 p.m.516 views

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

Introduction From January 2018 to March 2018, through FireEye’s Dynamic Threat Intelligence, we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. We attribute this activity t...

7.8AI score
Exploits0
FireEye
FireEye
added 2018/02/20 8:30 a.m.4157 views

APT37 (Reaper): The Overlooked North Korean Actor

On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability CVE-2018-4878 by a suspected North Korean cyber espionage group that we now track as APT37 Reaper. Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and...

9.3CVSS8.8AI score0.93289EPSS
Exploits26
FireEye
FireEye
added 2018/02/15 4:30 p.m.170 views

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners. CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service WLS Security in Oracle WebLogic Server versions 12.2.1.2.0...

9.3CVSS8.6AI score0.99993EPSS
Exploits100References4
FireEye
FireEye
added 2018/02/15 11:30 a.m.1683 views

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners. CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service WLS Security in Oracle WebLogic Server versions 12.2.1.2.0...

9.3CVSS8.6AI score0.99993EPSS
Exploits100
FireEye
FireEye
added 2018/02/07 11:45 a.m.491 views

ReelPhish: A Real-Time Two-Factor Phishing Tool

Social Engineering and Two-Factor Authentication Social engineering campaigns are a constant threat to businesses because they target the weakest chain in security: people. A typical attack would capture a victim’s username and password and store it for an attacker to reuse later. Two-Factor...

7.4AI score
Exploits0
FireEye
FireEye
added 2018/02/03 2:15 a.m.65 views

Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations

On Jan. 31, KISA KrCERT published an advisory about an Adobe Flash zero-day vulnerability CVE-2018-4878 being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation coul...

7.5CVSS8.6AI score0.89618EPSS
Exploits19References3
FireEye
FireEye
added 2018/02/02 9:15 p.m.746 views

Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations

On Jan. 31, KISA KrCERT published an advisory about an Adobe Flash zero-day vulnerability CVE-2018-4878 being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation coul...

7.5CVSS8.6AI score0.89618EPSS
Exploits19
FireEye
FireEye
added 2018/01/17 5:0 p.m.344 views

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities. Zyklon is a publicly available,...

9.3CVSS9.2AI score0.99945EPSS
Exploits47References3
FireEye
FireEye
added 2018/01/17 12:0 p.m.8965 views

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities. Zyklon is a publicly available,...

9.3CVSS8.8AI score0.99945EPSS
Exploits47
FireEye
FireEye
added 2018/01/11 4:45 p.m.23 views

FLARE IDA Pro Script Series: Simplifying Graphs in IDA

Introduction We’re proud to release a new plug-in for IDA Pro users – SimplifyGraph – to help automate creation of groups of nodes in the IDA’s disassembly graph view. Code and binaries are available from the FireEye GitHub repo. Prior to this release we submitted it in the 2017 Hex-Rays plugin...

6.7AI score
Exploits0References4
FireEye
FireEye
added 2018/01/11 11:45 a.m.579 views

FLARE IDA Pro Script Series: Simplifying Graphs in IDA

Introduction We’re proud to release a new plug-in for IDA Pro users – SimplifyGraph – to help automate creation of groups of nodes in the IDA’s disassembly graph view. Code and binaries are available from the FireEye GitHub repo. Prior to this release we submitted it in the 2017 Hex-Rays plugin...

6.7AI score
Exploits0
FireEye
FireEye
added 2018/01/04 11:30 a.m.494 views

Debugging Complex Malware that Executes Code on the Heap

Introduction In this blog, I will share a simple debugging tactic for creating “save points” during iterative remote debugging of complex multi-stage samples that execute code in heap memory at non-deterministic addresses. I’ll share two examples: one contrived, and the other a complex, modular...

7.4AI score
Exploits0
FireEye
FireEye
added 2017/12/14 10:0 a.m.513 views

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

Introduction Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/12/07 12:0 p.m.4571 views

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber...

9.3CVSS8.7AI score0.99945EPSS
Exploits62
FireEye
FireEye
added 2017/12/04 12:0 p.m.476 views

Recognizing and Avoiding Disassembled Junk

There is a common annoyance that seems to plague every reverse engineer and incident responder at some point in their career: wasting time or energy looking at junk code. Junk code is a sequence of bytes that you have disassembled that are not actual instructions executed as part of a program. In...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/11/28 7:0 p.m.10 views

Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection

Introduction TLS Thread Local Storage callbacks are provided by the Windows operating system to support additional initialization and termination for per-thread data structures. As previously reported, malicious TLS callbacks, as an anti-analysis trick, have been observed for quite some time and...

7.5AI score
Exploits0References2
FireEye
FireEye
added 2017/11/28 2:0 p.m.506 views

Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection

Introduction TLS Thread Local Storage callbacks are provided by the Windows operating system to support additional initialization and termination for per-thread data structures. As previously reported, malicious TLS callbacks, as an anti-analysis trick, have been observed for quite some time and...

7.5AI score
Exploits0
FireEye
FireEye
added 2017/10/30 2:0 p.m.13 views

Introducing GoCrack: A Managed Password Cracking Tool

FireEye's Innovation and Custom Engineering ICE team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI Figure 1 shows the dashboard to create, view, and manage...

7AI score
Exploits0References3
FireEye
FireEye
added 2017/10/30 10:0 a.m.502 views

Introducing GoCrack: A Managed Password Cracking Tool

FireEye's Innovation and Custom Engineering ICE team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI Figure 1 shows the dashboard to create, view, and manage...

1.2AI score
Exploits0
FireEye
FireEye
added 2017/10/26 7:0 p.m.16 views

BACKSWING - Pulling a BADRABBIT Out of a Hat

Executive Summary On Oct. 24, 2017, coordinated strategic web compromises started to distribute BADRABBIT ransomware to unwitting users. FireEye appliances detected the download attempts and blocked our user base from infection. During our investigation into the activity, FireEye identified a...

7.4AI score
Exploits0References2
FireEye
FireEye
added 2017/10/26 3:0 p.m.509 views

BACKSWING - Pulling a BADRABBIT Out of a Hat

Executive Summary On Oct. 24, 2017, coordinated strategic web compromises started to distribute BADRABBIT ransomware to unwitting users. FireEye appliances detected the download attempts and blocked our user base from infection. During our investigation into the activity, FireEye identified a...

Exploits0
FireEye
FireEye
added 2017/10/23 3:15 p.m.13 views

New FakeNet-NG Feature: Content-Based Protocol Detection

I Matthew Haigh recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and...

6.4AI score
Exploits0References2
FireEye
FireEye
added 2017/10/23 11:15 a.m.494 views

New FakeNet-NG Feature: Content-Based Protocol Detection

I Matthew Haigh recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and...

0.1AI score
Exploits0
FireEye
FireEye
added 2017/10/19 4:6 p.m.907 views

Magniber Ransomware Wants to Infect Only the Right People

Introduction Exploit kit EK use has been on the decline since late 2016; however, certain activity remains consistent. The Magnitude Exploit Kit is one such example that continues to affect users, particularly in the APAC region. In Figure 1, which is based on FireEye Dynamic threat Intelligence...

7.6CVSS0.1AI score0.93165EPSS
Exploits10
FireEye
FireEye
added 2017/10/13 5:0 p.m.586 views

2017 Flare-On Challenge Solutions

Another year, another successful Flare-On Challenge. I’d first like to thank our challenge authors for their hard work developing each of the challenges, and also for writing up their solutions: Challenge 1: Dominik Weber @Invalidhandle Challenge 2: Nhan Huynh Challenge 3: Matt Williams...

1.7AI score
Exploits0
FireEye
FireEye
added 2017/10/11 2:30 a.m.13 views

North Korean Actors Spear Phish U.S. Electric Companies

We can confirm that FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean government. This activity was early-stage reconnaissance, and not necessarily indicative of an...

7.3AI score
Exploits0References1
FireEye
FireEye
added 2017/10/10 10:30 p.m.293 views

North Korean Actors Spear Phish U.S. Electric Companies

We can confirm that FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean government. This activity was early-stage reconnaissance, and not necessarily indicative of an...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/10/10 10:30 p.m.489 views

North Korean Actors Spear Phish U.S. Electric Companies

We can confirm that FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean government. This activity was early-stage reconnaissance, and not necessarily indicative of an...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/10/05 10:30 a.m.165 views

Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea

We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution...

7.6AI score
Exploits0
FireEye
FireEye
added 2017/10/05 10:30 a.m.294 views

Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea

We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution...

7.6AI score
Exploits0
FireEye
FireEye
added 2017/09/20 10:0 a.m.20 views

Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware

When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a...

7.4AI score
Exploits0
FireEye
FireEye
added 2017/09/20 10:0 a.m.23 views

Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware

When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a...

7.4AI score
Exploits0
FireEye
FireEye
added 2017/09/19 8:15 p.m.24 views

Introducing pywintrace: A Python Wrapper for ETW

Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance monitoring tool, it was greatly expanded in Windows Vista to create a lightweight debugging mechanism. The...

6.7AI score
Exploits0References8
FireEye
FireEye
added 2017/09/19 4:15 p.m.51 views

Introducing pywintrace: A Python Wrapper for ETW

Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance monitoring tool, it was greatly expanded in Windows Vista to create a lightweight debugging mechanism. The...

6.7AI score
Exploits0
FireEye
FireEye
added 2017/09/19 4:15 p.m.121 views

Introducing pywintrace: A Python Wrapper for ETW

Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance monitoring tool, it was greatly expanded in Windows Vista to create a lightweight debugging mechanism. The...

6.7AI score
Exploits0
FireEye
FireEye
added 2017/09/19 1:0 a.m.15 views

rVMI: Perform Full System Analysis with Ease

Manual dynamic analysis is an important concept. It enables us to observe the behavior of a sophisticated malware sample or exploit by executing it in a controlled environment. The information gathered through this process is often crucial in gaining a full understanding of a sample. When...

6.6AI score
Exploits0References7
FireEye
FireEye
added 2017/09/18 9:0 p.m.31 views

rVMI: Perform Full System Analysis with Ease

Manual dynamic analysis is an important concept. It enables us to observe the behavior of a sophisticated malware sample or exploit by executing it in a controlled environment. The information gathered through this process is often crucial in gaining a full understanding of a sample. When...

6.7AI score
Exploits0
FireEye
FireEye
added 2017/09/18 9:0 p.m.24 views

rVMI: Perform Full System Analysis with Ease

Manual dynamic analysis is an important concept. It enables us to observe the behavior of a sophisticated malware sample or exploit by executing it in a controlled environment. The information gathered through this process is often crucial in gaining a full understanding of a sample. When...

7.1AI score
Exploits0
FireEye
FireEye
added 2017/09/12 1:0 p.m.2665 views

FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft...

9.3CVSS0.99933EPSS
Exploits40
FireEye
FireEye
added 2017/09/12 1:0 p.m.1375 views

FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft...

9.3CVSS8.7AI score0.99933EPSS
Exploits40
FireEye
FireEye
added 2017/09/11 5:0 p.m.16 views

Why Is North Korea So Interested in Bitcoin?

In 2016 we began observing actors we believe to be North Korean utilizing their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure from previously observed activity of North Korean actors employing cyber espionage for traditiona...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/09/11 5:0 p.m.13 views

Why Is North Korea So Interested in Bitcoin?

In 2016 we began observing actors we believe to be North Korean utilizing their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure from previously observed activity of North Korean actors employing cyber espionage for traditiona...

0.8AI score
Exploits0
FireEye
FireEye
added 2017/09/01 11:0 a.m.20 views

Monitoring Windows Console Activity (Part 1)

Introduction While performing incident response, Mandiant encounters attackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP such as the command prompt, PowerShell, and sometimes custom command and control C2 console tools...

0.9AI score
Exploits0
FireEye
FireEye
added 2017/09/01 11:0 a.m.16 views

Monitoring Windows Console Activity (Part 2)

This is the second of two blogs that discuss the implementation of the Windows console architecture from years past, with a primary focus on the current implementation present on modern versions of Windows. Read our first blog, "Monitoring Windows Console Activity Part 1," for more. Capturing the...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/09/01 11:0 a.m.104 views

Monitoring Windows Console Activity (Part 2)

This is the second of two blogs that discuss the implementation of the Windows console architecture from years past, with a primary focus on the current implementation present on modern versions of Windows. Read our first blog, "Monitoring Windows Console Activity Part 1," for more. Capturing the...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/09/01 11:0 a.m.38 views

Monitoring Windows Console Activity (Part 1)

Introduction While performing incident response, Mandiant encounters attackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP such as the command prompt, PowerShell, and sometimes custom command and control C2 console tools...

7.4AI score
Exploits0
FireEye
FireEye
added 2017/08/24 12:30 p.m.22 views

Announcing the Fourth Annual Flare-On Challenge

The fourth annual Flare-On Challenge – the FireEye Labs Advanced Reverse Engineering FLARE team’s yearly reverse engineering contest – is scheduled to kick off on Sept. 1, 2017, at 8pm ET. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/08/24 12:30 p.m.17 views

Announcing the Fourth Annual Flare-On Challenge

The fourth annual Flare-On Challenge – the FireEye Labs Advanced Reverse Engineering FLARE team’s yearly reverse engineering contest – is scheduled to kick off on Sept. 1, 2017, at 8pm ET. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security...

6.7AI score
Exploits0
FireEye
FireEye
added 2017/08/22 2:0 p.m.45 views

Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit

Exploit kit EK activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular...

9.3CVSS9AI score0.94996EPSS
Exploits50References15
Total number of security vulnerabilities545