Obfuscated Command Line Detection Using Machine Learning
This blog post presents a machine learning (ML) approach to solving
an emerging security problem: detecting obfuscated Windows command
line invocations on endpoints. We start out with an introduction to
this relatively new threat capability, and...
Cmd and Conquer: De-DOSfuscation with flare-qdb
When Daniel
Bohannon released his excellent DOSfuscation
paper, I was fascinated to see how tricks I used as a systems engineer
could help attackers evade detection. I didn’t have much to contribute
to this conversation...
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Introduction
FireEye devices detected
intrusion attempts against multiple industries, including think
tank, law enforcement, media, U.S. military, imagery,
transportation, pharmaceutical, national government, and defense
contracting. The attempts involved a...
FLARE VM Update
FLARE VM is the first of its kind reverse engineering and malware
analysis distribution on Windows platform. Since its introduction
in July 2017, FLARE VM has been continuously trusted and used by
many reverse...
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Overview
In a previous blog post we detailed the TRITON
intrusion that impacted industrial control systems (ICS) at a
critical infrastructure facility. We now track this activity set as
TEMP.Veles. In this blog post we provide...
ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field
Introduction
FireEye iSIGHT Intelligence compiled extensive data from dozens of
ICS security health assessment engagements (ICS Healthcheck) performed
by Mandiant, FireEye's consulting team, to identify the most pervasive
and highest priority security risks in industrial facilities....
2018 Flare-On Challenge Solutions
We are pleased to announce the conclusion of the fifth annual
Flare-On Challenge. The numbers are in and we can safely say that this
was by far the most difficult challenge we’ve ever hosted. We plan to
...
FLARE Script Series: Reverse Engineering WebAssembly Modules Using the idawasm IDA Pro Plugin
Introduction
This post continues the FireEye Labs Advanced Reverse Engineering
(FLARE) script series. Here, we introduce idawasm, an IDA Pro plugin
that provides a loader and processor modules for WebAssembly modules.
idawasm works on all operating...
APT38: Details on New North Korean Regime-Backed Threat Group
Today, we are releasing details on the threat group that we believe
is responsible for conducting financial crime on behalf of the North
Korean regime, stealing millions of dollars from banks worldwide. The
group is particularly...
Increased Use of a Delphi Packer to Evade Malware Classification
Introduction
The concept of "packing" or "crypting" a
malicious program is widely popular among threat actors looking to
bypass or defeat analysis by static and dynamic analysis tools.
Evasion of classification and detection is an arms...
Click It Up: Targeting Local Government Payment Portals
FireEye has been tracking a campaign this year targeting web payment
portals that involves on-premise installations of Click2Gov. Click2Gov
is a web-based, interactive self-service bill-pay software solution
developed by Superion. It includes various modules that allow...
APT10 Targeting Japanese Corporations Using Updated TTPs
Introduction
In July 2018, FireEye devices detected and blocked what appears to
be APT10 (Menupass) activity targeting the Japanese media sector.
APT10 is a Chinese cyber espionage group that FireEye has tracked
since 2009, and they...
Fallout Exploit Kit Used in Malvertising Campaign to Deliver Gandcrab Ransomware
Towards the end of August 2018, FireEye identified a new exploit kit
(EK) that was being served up as part of a malvertising campaign
affecting users in Japan, Korea, the Middle East, Southern Europe, and
other...
Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East
FireEye has identified a suspected influence operation that appears
to originate from Iran aimed at audiences in the U.S., U.K., Latin
America, and the Middle East. This operation is leveraging a network
of inauthentic news sites...
Announcing the Fifth Annual Flare-On Challenge
The FireEye Labs Advanced Reverse Engineering (FLARE) team’s annual
reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24,
2018. This is a CTF-style challenge for all active and aspiring
reverse engineers, malware analysts,...
And that was actually the CLEAN version!
It's more than a few years back, and this oilfield services company is implementing a new email filter, says a pilot fish working there."It was part of an email security product," fish says. "The filter could identify emails containing...
Review: How StackRox protects containers
With the rise of cloud computing and later DevOps, containerization has never been more popular. But cybersecurity has yet to fully catch up. Even security applications designed to work natively in the cloud have trouble protecting the most popular...
Dark web goldmine busted by Europol
What’s the safest way to buy counterfeit banknotes? Not on the dark web market, as 235 people have just discovered to their cost.
Google will shut down consumer version of Google+ earlier due to a bug
Google announced it will close the consumer version of Google+ before than originally planned due to the discovery of a new security flaw.
Google will close the consumer version of Google+ in April, four months earlier than planned. According to G...
Teen SWATter who had 400 schools evacuated lands 3 years in jail
George Duke-Cohan is the British teen who posed as a worried father whose daughter had called him mid-flight during a hijacking.
