“Distinguished Impersonator” Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests
In May 2019, FireEye Threat Intelligence published a blog post
exposing a network of English-language social media accounts that
engaged in inauthentic
behavior and misrepresentation that we assessed with low
confidence was organized in...
Managed Defense: The Analytical Mindset
When it comes to cyber security (managed services or otherwise),
you’re ultimately reliant on analyst expertise to keep your
environment safe. Products and intelligence are necessary pieces of
the security puzzle to generate detection signal and...
STOMP 2 DIS: Brilliance in the (Visual) Basics
Throughout January 2020, FireEye has continued to observe multiple
targeted phishing campaigns designed to download and deploy a backdoor
we track as MINEBRIDGE. The campaigns primarily targeted financial
services organizations in the United States, though targeting...
Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D
DLL Abuse Techniques Overview
Dynamic-link library (DLL) side-loading occurs
when Windows Side-by-Side (WinSxS) manifests are
not explicit about the characteristics of DLLs being loaded by a
program. In layman’s terms, DLL side-loading can allow an attacker to
...
Nice Try: 501 (Ransomware) Not Implemented
An Ever-Evolving Threat
Since January 10, 2020, FireEye has tracked extensive global
exploitation of CVE-2019-19781, which continues to impact Citrix ADC
and Gateway instances
that are unpatched or do not have mitigations
applied....
404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor
As noted in Rough
Patch: I Promise It'll Be 200 OK, our FireEye Mandiant
Incident Response team has been hard at work responding to intrusions
stemming from the exploitation of CVE-2019-19781. After analyzing
...
SAIGON, the Mysterious Ursnif Fork
Ursnif (aka Gozi/Gozi-ISFB) is one of the oldest banking malware
families still in active distribution. While the first major version
of Ursnif was identified in 2006, several subsequent versions have
been released in large part due...
The FireEye Approach to Operational Technology Security
Today FireEye launches the Cyber Physical Threat Intelligence
subscription, which provides cyber security professionals with
unmatched context, data and actionable analysis on threats and risk to
cyber physical systems. In light of this release, we thought...
Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774)
Attackers have a dirty little secret that is being used to conduct
big intrusions. We’ll explain how they're "unpatching" an
exploit and then provide new Outlook hardening guidance that is not
available elsewhere. Specifically, this blog...
Excelerating Analysis – Tips and Tricks to Analyze Data with Microsoft Excel
Incident response investigations don’t always involve standard
host-based artifacts with fully developed parsing and analysis tools.
At FireEye Mandiant, we frequently encounter incidents that involve a
number of systems and solutions that utilize custom logging or
...
FIDL: FLARE’s IDA Decompiler Library
IDA Pro and the Hex Rays decompiler are a core part of any toolkit
for reverse engineering and vulnerability research. In a previous blog
post we discussed how the Hex-Rays
API can be used to solve...
Attention is All They Need: Combatting Social Media Information Operations With Neural Language Models
Information operations have flourished on social media in part
because they can be conducted cheaply, are relatively low risk, have
immediate global reach, and can exploit the type of viral
amplification incentivized by platforms. Using networks...
MESSAGETAP: Who’s Reading Your Text Messages?
FireEye Mandiant recently discovered a new malware family used by
APT41 (a Chinese APT group) that is designed to monitor and save SMS
traffic from specific phone numbers, IMSI numbers and keywords for
subsequent theft. Named...
CertUtil Qualms: They Came to Drop FOMBs
This blog post covers an interesting intrusion attempt that FireEye
Managed Defense thwarted involving the rapid weaponization of a
recently disclosed vulnerability combined with the creative use of WMI
compiled “.bmf” files and CertUtil for
obfuscated execution.
This...
Shikata Ga Nai Encoder Still Going Strong
One of the most popular exploit frameworks in the world is
Metasploit. Its vast library of pocket exploits, pluggable payload
environment, and simplicity of execution makes it the de facto base
platform. Metasploit is used by...
Sensitive plastic surgery images exposed online
Researchers at VPN advisory company vpnMentor have found yet another online data exposure caused by a misconfigured cloud database.
Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs
A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.
12 hottest new cybersecurity startups at RSA 2020
Starting on February 24, the RSA Conference (RSAC) 2020 gives security vendors old and new a chance to demonstrate their capabilities. The event has become an attractive venue for startups to make their debut. This year’s crop will be...
Hundreds of Millions of PC Components Still Have Hackable Firmware
The lax security of supply chain firmware has been a known concern for years—with precious little progress being made.
Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites
Remote Wipe Plugin Bug Hits 200,000+ WordPress SitesSecurity researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker.
The problem lies with versions 1.3.4 and...
