Detecting Microsoft 365 and Azure Active Directory Backdoors
Mandiant has seen an uptick in incidents involving Microsoft 365
(M365) and Azure Active Directory (Azure AD). Most of these incidents
are the result of a phishing email coercing a user to enter their
credentials used...
Fuzzing Image Parsing in Windows, Part One: Color Profiles
Image parsing and rendering are basic features of any modern
operating system (OS). Image parsing is an easily accessible attack
surface, and a vulnerability that may lead to remote code execution or
information disclosure in such a...
A “DFUR-ent” Perspective on Threat Modeling and Application Log Forensic Analysis
Many organizations operating in e-commerce, hospitality, healthcare,
managed services, and other service industries rely on web
applications. And buried within the application logs may be the
potential discovery of fraudulent use and/or compromise! But, let's
...
Emulation of Malicious Shellcode With Speakeasy
In order to enable emulation of malware samples at scale, we have
developed the Speakeasy
emulation framework. Speakeasy aims to make it as easy as
possible for users who are not malware analysts to...
A Hands-On Introduction to Mandiant’s Approach to OT Red Teaming
Operational technology (OT) asset owners have historically considered
red teaming of OT and industrial control system (ICS) networks to be
too risky due to the potential for disruptions or adverse impact to
production systems. While this...
COOKIEJAR: Tracking Adversaries With FireEye Endpoint Security’s Logon Tracker Module
During a recent investigation at a telecommunications company led by
Mandiant
Managed Defense, our team was tasked with rapidly identifying
systems that had been accessed by a threat actor using legitimate, but
...
Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach
The FireEye Front Line Applied Research & Expertise (FLARE) Team
attempts to always stay on top of the most current and emerging
threats. As a member of the FLARE Reverse Engineer team, I recently
received a...
Repurposing Neural Networks to Generate Synthetic Media for Information Operations
FireEye’s Data Science and Information Operations Analysis teams
released this blog post to
coincide with our Black Hat USA 2020 Briefing, which details how
open source, pre-trained neural networks can be leveraged to generate
...
Announcing the Seventh Annual Flare-On Challenge
The Front Line Applied Research
& Expertise (FLARE) team is honored to announce that the popular
Flare-On challenge will return for a triumphant seventh year. Ongoing
global events proved no match against our passion for creating
...
Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates
With Business Email Compromises (BECs) showing no signs of
slowing down, it is becoming increasingly important for security
analysts to understand Office 365 (O365) breaches and how to properly
investigate them. This blog post...
‘Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests
Mandiant Threat Intelligence has tied together several information
operations that we assess with moderate confidence comprise part of a
broader influence campaign—ongoing since at least March 2017—aligned
with Russian security interests. The operations have primarily
...
Unique Threats to Operational Technology and Cyber Physical Systems
In this latest episode of our Eye on
Security podcast, I talk all about the world of operational
technology (OT) and cyber physical systems with one of our foremost
experts on the topic: Nathan Brubaker,...
capa: Automatically Identify Malware Capabilities
capa is the FLARE team’s newest open-source tool for analyzing
malicious programs. Our tool provides a framework for the community to
encode, recognize, and share behaviors that we’ve seen in malware.
Regardless of your background, when...
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Mandiant Threat Intelligence has researched and written extensively
on the increasing financially motivated threat activity directly
impacting operational technology (OT) networks. Some of this research
is available in our previous blog posts on industrial
...
SCANdalous! (External Detection Using Network Scan Data and Automation)
Real Quick
In case you’re thrown by that fantastic title, our lawyers made us
change the name of this project so we wouldn’t get sued.
SCANdalous—a.k.a. Scannah Montana a.k.a. Scanny McScanface a.k.a.
“Scan I Kick It?...
When Coffee Machines Demand Ransom, You Know IoT Is Screwed
A researcher reverse engineered an internet-connected coffee maker to see what kinds of hacks he could do with it. The answer: quite a lot.
Russian Gets 7 Years in Prison for Linkedin, Dropbox & Formspring Hacks
A Russian man received a seven-year prison sentence for having hacked into computers belonging to LinkedIn, Dropbox and Formspring. On September 30, Honorable William H. Alsup, U.S. District Judge for the Northern District of California, sentenced Yevgeniy Alexandrovich Nikulin,...
Detecting Deep Fakes with a Heartbeat
Researchers can detect deep fakes because they don’t convincingly mimic human blood circulation in the face:
In particular, video of a person’s face contains subtle shifts in color that result from pulses in blood circulation. You might imagine that these...
Anthem to Pay Nearly $40M Settlement Over 2015 Cyberattack
Health insurer Anthem has agreed to another multimillion-dollar settlement over a cyberattack on its technology that exposed the personal information of nearly 79 million people.
read more
#BeCyberSmart – why friends don’t let friends get scammed
Friends don't let friends get scammed. Because cybercrime hurts us all.
