545 matches found
Do You See What I CCM?
SCCM Software Metering Reviewing forensic keyword searches can be confusing because it is often difficult for an analyst to determine the source of the various structures that contain string matches. One such structure belongs to Microsoft's System Center Configuration Manager's SCCM software...
FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region
In 2012, a suspected Iranian hacker group called the “Cutting Sword of Justice” used malware known as Shamoon – or Disttrack. In mid-November, Mandiant, a FireEye company, responded to the first Shamoon 2.0 incident against an organization located in the Gulf states. Since then, Mandiant has...
FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region
In 2012, a suspected Iranian hacker group called the “Cutting Sword of Justice” used malware known as Shamoon – or Disttrack. In mid-November, Mandiant, a FireEye company, responded to the first Shamoon 2.0 incident against an organization located in the Gulf states. Since then, Mandiant has...
‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks
FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to b...
‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks
FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to b...
‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks
FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to b...
FireEye Cyber Defense Summit 2016: The Incident Response Track – Technical Details and Solutions that Work
2016 has been a year of significant change to the cyber security landscape. The rapid proliferation of ransomware and the emergence of Internet of Things mass compromise has changed the landscape for responders. Similarly, existing threats have become more brazen, with nation-state actors...
FireEye Cyber Defense Summit 2016: The Incident Response Track – Technical Details and Solutions that Work
2016 has been a year of significant change to the cyber security landscape. The rapid proliferation of ransomware and the emergence of Internet of Things mass compromise has changed the landscape for responders. Similarly, existing threats have become more brazen, with nation-state actors...
Extending Linux Executable Logging With The Integrity Measurement Architecture
Gaining insight into the files being executed on your system is a great first step towards improved visibility on your endpoints. Taking this a step further, centrally storing logs of file execution data so they can be used for detection and hunting provides an excellent opportunity to find evil ...
Extending Linux Executable Logging With The Integrity Measurement Architecture
Gaining insight into the files being executed on your system is a great first step towards improved visibility on your endpoints. Taking this a step further, centrally storing logs of file execution data so they can be used for detection and hunting provides an excellent opportunity to find evil ...
Extending Linux Executable Logging With The Integrity Measurement Architecture
Gaining insight into the files being executed on your system is a great first step towards improved visibility on your endpoints. Taking this a step further, centrally storing logs of file execution data so they can be used for detection and hunting provides an excellent opportunity to find evil ...
2016 Flare-On Challenge Solutions
I would like to thank the challenge authors this year: 1. Alexander Rich 2. Matt Williams @0xmwilliams 3. Dominik Weber 4. James T. Bennett @jtbennettjr 5. Tyler Dean 6. Josh Homan 7. Alex Berry 8. Nick Harbour @nickharbour 9. Jon Erickson @2130706433 10. FireEye Labs Advanced Vulnerability...
2016 Flare-On Challenge Solutions
I would like to thank the challenge authors this year: 1. Alexander Rich 2. Matt Williams @0xmwilliams 3. Dominik Weber 4. James T. Bennett @jtbennettjr 5. Tyler Dean 6. Josh Homan 7. Alex Berry 8. Nick Harbour @nickharbour 9. Jon Erickson @2130706433 10. FireEye Labs Advanced Vulnerability...
Rotten Apples: Resurgence
In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 referred to as the “Zycode” phishing campaign. At FireEye Labs we have an automated system designed to proactively detect newly...
Rotten Apples: Resurgence
In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 referred to as the “Zycode” phishing campaign. At FireEye Labs we have an automated system designed to proactively detect newly...
Rotten Apples: Resurgence
In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 referred to as the “Zycode” phishing campaign. At FireEye Labs we have an automated system designed to proactively detect newly...
Operations of a Brazilian Payment Card Fraud Group
Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyb...
Operations of a Brazilian Payment Card Fraud Group
Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyb...
Operations of a Brazilian Payment Card Fraud Group
Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyb...
Increased Use of WMI for Environment Detection and Evasion
Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...
Increased Use of WMI for Environment Detection and Evasion
Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...
Increased Use of WMI for Environment Detection and Evasion
Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...
Vendetta Brothers, Inc. – A Window Into the Business of the Cybercriminal Underground
FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the “Vendetta Brothers.” This enterprising duo uses various strategies to compromise point-of-sale systems, steal payment card information and sell it on their underground marketplace “Vendetta World.” The...
Vendetta Brothers, Inc. – A Window Into the Business of the Cybercriminal Underground
FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the “Vendetta Brothers.” This enterprising duo uses various strategies to compromise point-of-sale systems, steal payment card information and sell it on their underground marketplace “Vendetta World.” The...
Vendetta Brothers, Inc. – A Window Into the Business of the Cybercriminal Underground
FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the “Vendetta Brothers.” This enterprising duo uses various strategies to compromise point-of-sale systems, steal payment card information and sell it on their underground marketplace “Vendetta World.” The...
Hancitor (AKA Chanitor) observed using multiple attack approaches
Many threat actors use multiple attack vectors to ensure success. The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims. These techniques include uncommon...
Hancitor (AKA Chanitor) observed using multiple attack approaches
Many threat actors use multiple attack vectors to ensure success. The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims. These techniques include uncommon...
Announcing the Third Annual Flare-On Challenge
Let fall be the season for reverse engineering! On Sept. 23, 2016, the FireEye Labs Advanced Reverse Engineering FLARE team will be hosting its third annual Flare-On reverse engineering contest with a designated start time of 8pm ET. This is a CTF-style challenge for all active and aspiring rever...
Announcing the Third Annual Flare-On Challenge
Let fall be the season for reverse engineering! On Sept. 23, 2016, the FireEye Labs Advanced Reverse Engineering FLARE team will be hosting its third annual Flare-On reverse engineering contest with a designated start time of 8pm ET. This is a CTF-style challenge for all active and aspiring rever...
RIPPER ATM Malware and the 12 Million Baht Jackpot
On Aug. 23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before. To add more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post newspaper reported...
RIPPER ATM Malware and the 12 Million Baht Jackpot
On Aug. 23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before. To add more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post newspaper reported...
RIPPER ATM Malware and the 12 Million Baht Jackpot
On Aug. 23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before. To add more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post newspaper reported...
M-Trends Asia Pacific: Organizations Must Improve at Detecting and Responding to Breaches
Since 2010, Mandiant, a FireEye company, has presented trends, statistics and case studies of some of the largest and most sophisticated cyber attacks. In February 2016, we released our annual global M-Trends® report based on data from the breaches we responded to in 2015. Now, we are releasing...
M-Trends Asia Pacific: Organizations Must Improve at Detecting and Responding to Breaches
Since 2010, Mandiant, a FireEye company, has presented trends, statistics and case studies of some of the largest and most sophisticated cyber attacks. In February 2016, we released our annual global M-Trends® report based on data from the breaches we responded to in 2015. Now, we are releasing...
Unsealing the Deal: Cyber Threats to Mergers and Acquisitions Persist in a Hot Market
Risks Posed by Sensitive Corporate Communications, Broadened Attack Surface In 2015, a record $5 trillion dollars was tied up in mergers and acquisitions M&A deals, according to JP Morgan. So far, mega deals in 2016 include Microsoft’s purchase of LinkedIn, Shire’s acquisition of Baxalta, and...
Unsealing the Deal: Cyber Threats to Mergers and Acquisitions Persist in a Hot Market
Risks Posed by Sensitive Corporate Communications, Broadened Attack Surface In 2015, a record $5 trillion dollars was tied up in mergers and acquisitions M&A deals, according to JP Morgan. So far, mega deals in 2016 include Microsoft’s purchase of LinkedIn, Shire’s acquisition of Baxalta, and...
Embedded Hardware Hacking 101 – The Belkin WeMo Link
Why Embedded Hacking? Devices that are connected to the Internet or run a full operating system are becoming more and more prevalent in today’s society. From devices for locomotives to wireless light switches, the Internet of Things IoT trend is on the rise and here to stay. This has the potentia...
Embedded Hardware Hacking 101 – The Belkin WeMo Link
Why Embedded Hacking? Devices that are connected to the Internet or run a full operating system are becoming more and more prevalent in today’s society. From devices for locomotives to wireless light switches, the Internet of Things IoT trend is on the rise and here to stay. This has the potentia...
WMI vs. WMI: Monitoring for Malicious Activity
Hello my name is: WMI WMI has been a core component of Windows since Windows 98, but it is not exactly old wine in a new bottle. WMI more closely resembles that bottle of ‘61 Bordeaux wine that continues to impress us as it ages and matures. WMI was developed as Microsoft’s interpretation of...
WMI vs. WMI: Monitoring for Malicious Activity
Hello my name is: WMI WMI has been a core component of Windows since Windows 98, but it is not exactly old wine in a new bottle. WMI more closely resembles that bottle of ‘61 Bordeaux wine that continues to impress us as it ages and matures. WMI was developed as Microsoft’s interpretation of...
Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns
Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware. The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry, as seen in Figure 1. Figure 1. Top 10 affected industries Numerous...
Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns
Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware. The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry, as seen in Figure 1. Figure 1. Top 10 affected industries Numerous...
Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns
Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware. The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry, as seen in Figure 1. Figure 1. Top 10 affected industries Numerous...
Analyzing the Malware Analysts – Inside FireEye’s FLARE Team
At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering FLARE Team. During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book...
Analyzing the Malware Analysts – Inside FireEye’s FLARE Team
At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering FLARE Team. During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book...
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
In the past several years, a flood of vulnerabilities has hit industrial control systems ICS – the technological backbone of electric grids, water supplies, and production lines. These vulnerabilities affect the reliable operation of sensors, programmable controllers, software and networking...
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
In the past several years, a flood of vulnerabilities has hit industrial control systems ICS – the technological backbone of electric grids, water supplies, and production lines. These vulnerabilities affect the reliable operation of sensors, programmable controllers, software and networking...
FakeNet-NG: Next Generation Dynamic Network Analysis Tool
As a reverse engineer on the FLARE FireEye Labs Advanced Reverse Engineering team, I regularly perform basic dynamic analysis of malware samples. The goal is to quickly observe runtime characteristics by running binaries in a safe environment. One important task during dynamic analysis is to...
FakeNet-NG: Next Generation Dynamic Network Analysis Tool
As a reverse engineer on the FLARE FireEye Labs Advanced Reverse Engineering team, I regularly perform basic dynamic analysis of malware samples. The goal is to quickly observe runtime characteristics by running binaries in a safe environment. One important task during dynamic analysis is to...
Red Team Tool Roundup
In many cases Red Team tools are not written because someone feels like writing a tool, or wakes up one morning thinking, “I want to write a tool today”. Red Teamers generally identify tedious tasks in their methodology and then create tools that automate these tasks for current and future...