It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit
When we discover new intrusions, we ask ourselves questions that will
help us understand the totality of the activity set.
How common is this activity? Is there anything unique or special
about this malware or campaign? What...
Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks
Given the community interest and media coverage surrounding the
economic stimulus bill currently being considered by the United States
House of Representatives, we anticipate attackers will increasingly
leverage lures tailored to the new stimulus bill and...
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Beginning this year, FireEye observed Chinese actor
APT41 carry out one of the broadest campaigns by a Chinese cyber
espionage actor we have observed in recent years. Between January 20
and March 11, FireEye observed APT41
...
Monitoring ICS Cyber Operation Tools and Software Exploit Modules To Anticipate Future Threats
There has only been a small number of broadly documented cyber
attacks targeting operational technologies (OT) / industrial control
systems (ICS) over the last decade. While fewer attacks is clearly a
good thing, the lack of...
Six Facts about Address Space Layout Randomization on Windows
Overcoming address space layout randomization (ASLR) is a
precondition of virtually all modern memory corruption
vulnerabilities. Breaking ASLR is an area of active research and can
get incredibly complicated. This blog post presents some basic facts
...
They Come in the Night: Ransomware Deployment Trends
Ransomware is a remote, digital shakedown. It is disruptive and
expensive, and it affects all kinds of organizations, from cutting
edge space
technology firms, to the wool
industry, to industrial
environments. Infections have forced...
Crescendo: Real Time Event Viewer for macOS
Prior to 2017, researchers couldn’t easily monitor actions performed
by a process on macOS and had to resort to coding scripts that
produced low level system call data. FireEye released Monitor.app
in 2017 that enabled collection...
Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT
Since at least 2017, there has been a significant increase in public
disclosures of ransomware incidents impacting industrial production
and critical infrastructure organizations. Well-known ransomware
families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now
SNAKEHOSE...
M-Trends 2020: Insights From the Front Lines
Today we release
M-Trends
2020, the 11th edition of our popular annual
FireEye Mandiant report. This latest M-Trends contains all of
the statistics, trends, case studies and hardening recommendations
that readers...
The Missing LNK — Correlating User Search LNK files
Forensic investigators use LNK shortcut files to recover metadata
about recently accessed files, including files deleted after the time
of access. In a recent investigation, FireEye Mandiant encountered LNK
files that indicated an attacker accessed files...
“Distinguished Impersonator” Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests
In May 2019, FireEye Threat Intelligence published a blog post
exposing a network of English-language social media accounts that
engaged in inauthentic
behavior and misrepresentation that we assessed with low
confidence was organized in...
Managed Defense: The Analytical Mindset
When it comes to cyber security (managed services or otherwise),
you’re ultimately reliant on analyst expertise to keep your
environment safe. Products and intelligence are necessary pieces of
the security puzzle to generate detection signal and...
STOMP 2 DIS: Brilliance in the (Visual) Basics
Throughout January 2020, FireEye has continued to observe multiple
targeted phishing campaigns designed to download and deploy a backdoor
we track as MINEBRIDGE. The campaigns primarily targeted financial
services organizations in the United States, though targeting...
Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D
DLL Abuse Techniques Overview
Dynamic-link library (DLL) side-loading occurs
when Windows Side-by-Side (WinSxS) manifests are
not explicit about the characteristics of DLLs being loaded by a
program. In layman’s terms, DLL side-loading can allow an attacker to
...
Nice Try: 501 (Ransomware) Not Implemented
An Ever-Evolving Threat
Since January 10, 2020, FireEye has tracked extensive global
exploitation of CVE-2019-19781, which continues to impact Citrix ADC
and Gateway instances
that are unpatched or do not have mitigations
applied....
Palantir, The $20 Billion, Peter Thiel-Backed Big Data Giant, Is Providing A Coronavirus Monitoring Tool To The CDC
Palantir will help the Centers for Disease Control keep on top of ventilator and mask needs to treat coronavirus victims, sources say.
Defense Evasion Dominated 2019 Attack Tactics
Researchers mapped tactics and techniques to the MITRE ATT&CK framework to determine which were most popular last year.
Watering-Holes Target Asian Ethnic Victims with Flash Update Decoy
About 10 compromised websites employ a multi-stage, targeted effort to fingerprint and compromise victims.
OpenWRT is vulnerable to attacks that execute malicious code
Enlarge (credit: OpenWRT)
For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital...
Privacy in critical care after telehealth demands jump
As coughs and body aches drive anxious Americans to telemed services in record numbers, relieving the burden on medical facilities stressed to breaking with COVID-19 cases, the subsequent relaxation of privacy requirements puts them at risk of PHI compromises,...
