ELFant in the Room – capa v3
Since our initial public
release of capa, incident responders and reverse engineers have
used the tool to automatically identify capabilities in Windows
executables. With our newest code and ruleset updates, capa v3 also
identifies...
Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages, Attempted to Physically Mobilize Protesters in the U.S.
In June 2019, Mandiant Threat Intelligence first
reported to customers a pro-People’s Republic of China (PRC)
network of hundreds of inauthentic accounts on Twitter, Facebook, and
YouTube, that was at that time primarily focused on discrediting
...
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
In August 2021, Mandiant Managed Defense identified and responded to
the exploitation of a chain of vulnerabilities known as ProxyShell.
The ProxyShell vulnerabilities consist of three CVEs
(CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the
following versions of...
Too Log; Didn’t Read — Unknown Actor Using CLFS Log Files for Stealth
The Mandiant Advanced Practices team recently discovered a new
malware family we have named PRIVATELOG and its installer, STASHLOG.
In this post, we will share a novel and especially interesting
technique the samples use to hide...
Detecting Embedded Content in OOXML Documents
On Advanced Practices, we are always looking for new ways to find
malicious activity and track adversaries over time. Today we’re
sharing a technique we use to detect and cluster Microsoft Office
documents—specifically those in the Office
...
Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices
Today, Mandiant disclosed a critical risk vulnerability in
coordination with the Cybersecurity
and Infrastructure Security Agency (“CISA”) that affects
millions of IoT devices that use the ThroughTek “Kalay”
network. This vulnerability, discovered by...
Announcing the Eighth Annual Flare-On Challenge
The FLARE team is once again
hosting its annual Flare-On challenge, now in its eighth year. Take
this opportunity to enjoy some extreme social distancing by solving
fun puzzles to test your mettle and...
UNC215: Spotlight on a Chinese Espionage Campaign in Israel
This blog post details the post-compromise tradecraft and operational
tactics, techniques, and procedures (TTPs) of a Chinese espionage
group we track as UNC215. While UNC215’s targets are located
throughout the Middle East, Europe, Asia, and North...
capa 2.0: Better, Faster, Stronger
We are excited to announce version 2.0 of our open-source tool called
capa. capa automatically identifies capabilities in programs using an
extensible rule set. The tool supports both malware triage and deep
dive reverse engineering. If...
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one
victim through a Trojanized software installer downloaded from a
legitimate website. While this victim organization detected the
intrusion, engaged Mandiant for incident response, and avoided
ransomware,...
Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices
On April 20, 2021, Mandiant published detailed results of our
investigations into compromised
Pulse Secure devices by suspected Chinese espionage operators.
This blog post is intended to provide an update on our findings, give
...
Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises
Attacks on control processes supported by operational technology (OT)
are often perceived as necessarily complex. This is because disrupting
or modifying a control process to cause a predictable effect is often
quite difficult and can require...
Shining a Light on DARKSIDE Ransomware Operations
Update (May 14): Mandiant has observed multiple actors cite a May
13 announcement that appeared to be shared with DARKSIDE RaaS
affiliates by the operators of the service. This announcement stated
...
The UNC2529 Triple Double: A Trifecta Phishing Campaign
In December 2020, Mandiant observed a widespread, global phishing
campaign targeting numerous organizations across an array of
industries. Mandiant tracks this threat actor as UNC2529.
Based on the considerable infrastructure employed, tailored phishing
lures and...
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Mandiant has observed an aggressive financially motivated group,
UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to
a patch being available and deploying sophisticated malware previously
reported by other vendors as SOMBRAT. Mandiant has linked the...
China Telecom booted out of USA as Feds worry it could disrupt or spy on local networks
FCC urges more action against Huawei and DJI, too The US Federal Communications Commission (FCC) has terminated China Telecom's authority to provide communications services in the USA.…
150 People Arrested in US-Europe Darknet Drug Probe
Law enforcement officials in the U.S. and Europe have arrested 150 people and seized more than $31 million in an international drug trafficking investigation stemming from sales on the darknet, the Justice Department said Tuesday.
read more
Free Tool Helps Security Teams Measure Their API Attack Surface
Data Theorem's free API Attack Surface Calculator helps security teams understand potential API exposures.
SquirrelWaffle Loader Malspams, Packing Qakbot, Cobalt Strike
Say hello to what could be the next big spam player: SquirrelWaffle, which is spreading with increasing frequency via spam campaigns and infecting systems with a new malware loader.
North Korea's Lazarus Group Turns to Supply Chain Attacks
State-backed group is among a growing number of threat actors looking at supply chain companies as an entry point into enterprise networks.
