So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Mandiant Advanced Practices (AP) closely tracks the shifting tactics,
techniques, and procedures (TTPs) of financially motivated groups who
severely disrupt organizations with ransomware. In May 2020, FireEye
released a blog
post detailing intrusion...
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
Starting in mid-December 2020, malicious actors that Mandiant tracks
as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s
legacy File Transfer Appliance (FTA) to install a newly discovered web
shell named DEWMODE. The motivation of UNC2546 was...
Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part Two)
In this post, we continue our analysis of the SolarCity
ConnectPort X2e Zigbee device (referred to throughout as X2e
device). In Part
One, we discussed the X2e at a high level, performed initial
...
Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part One)
In 2019, Mandiant’s Red Team discovered a series of vulnerabilities
present within Digi International’s ConnectPort
X2e device, which allows for remote code execution as a privileged
user. Specifically, Mandiant’s research focused on SolarCity’s (now
owned...
Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication
FireEye Email
Security recently encountered various phishing campaigns, mostly
in the Americas and Europe, using source code obfuscation with
compromised or bad domains. These domains were masquerading as
authentic websites and stole personal information such...
Training Transformers for Cyber Security Tasks: A Case Study on Malicious URL Prediction
Highlights
Perform a case study on using Transformer models to solve
cyber security problems Train a Transformer model to detect
malicious URLs under multiple training regimes Compare our
...
Emulation of Kernel Mode Rootkits With Speakeasy
In August 2020, we released a blog post about how the Speakeasy emulation
framework can be used to emulate user mode malware such as
shellcode. If you haven’t had a chance, give
the post...
Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
In December 2020, FireEye uncovered and publicly disclosed a
widespread attacker campaign that is being tracked as UNC2452.
In some, but not all, of the intrusions associated with this campaign
where Mandiant has visibility, the attacker...
SUNBURST Additional Technical Details
FireEye has discovered additional details about the SUNBURST backdoor
since our initial publication on Dec. 13, 2020. Before diving into the
technical depth of this malware, we recommend readers familiarize
themselves with our blog post about...
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
Executive Summary
We have discovered a global intrusion campaign. We are
tracking the actors behind this campaign as UNC2452.
FireEye discovered a supply chain attack trojanizing SolarWinds
Orion business...
Unauthorized Access of FireEye Red Team Tools
Overview
A highly sophisticated state-sponsored adversary stole FireEye Red
Team tools. Because we believe that an adversary possesses these
tools, and we do not know whether the attacker intends to use the
stolen tools themselves or...
Using Speakeasy Emulation Framework Programmatically to Unpack Malware
Andrew
Davis recently announced
the public release of his new Windows emulation framework named
Speakeasy. While
the introductory blog post focused on using Speakeasy as an automated
malware...
Election Cyber Threats in the Asia-Pacific Region
In democratic societies, elections are the mechanism for choosing
heads of state and policymakers. There are strong incentives for
adversary nations to understand the intentions and preferences of the
people and parties that will shape a...
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques
Microsoft is known for their backwards compatibility. When they
rolled out the 64-bit variant of Windows years ago they needed to
provide compatibility with existing 32-bit applications. In order to
provide seamless execution regardless of application...
In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover — CVE-2020-14871
FireEye Mandiant has been investigating compromised Oracle Solaris
machines in customer environments. During our investigations, we
discovered an exploit tool on a customer’s system and analyzed it to
see how it was attacking their Solaris environment....
Dairy Giant Lactalis Targeted by Hackers
France-based dairy giant Lactalis revealed last week that it was targeted by hackers, but claimed that it had found no evidence of a data breach.
The company said a malicious third party attempted to breach its computer network, but it...
Crypto firm Tether says it won’t pay $24 million ransom after being threatened with document leak
Controversial cryptocurrency developer Tether says it will not give in to extortionists who are demanding a 500 Bitcoin ransom payment (currently worth approximately US $24 million).
Mysterious Macintosh Malware
This is weird:
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload...
What Did I Just Read? A Conversation With the Authors of '2034'
Elliot Ackerman and Admiral James Stavridis discuss their inspirations, personal experiences, and what keeps them up at night.
2034, Part VI: Crossing the Red Line
“Eventually, the Americans would find them. But by then it would be too late.”
