APT39: An Iranian Cyber Espionage Group Focused on Personal Information
In December 2018, FireEye identified APT39 as an Iranian cyber
espionage group responsible for widespread theft of personal
information. We have tracked activity linked to this group since
November 2014 in order to protect organizations from...
Bypassing Network Restrictions Through RDP Tunneling
Remote Desktop Services is a component of Microsoft Windows that is
used by various companies for the convenience it offers systems
administrators, engineers and remote employees. On the other hand,
Remote Desktop Services, and specifically the...
Cryptocurrency and Blockchain Networks: Facing New Security Paradigms
On Jan. 22, FireEye participated in a panel focused on
cryptocurrencies and blockchain technology during the World Economic
Forum. The panel addressed issues raised in a report
developed by FireEye, together with our partner Marsh &...
A Nasty Trick: From Credential Theft Malware to Business Disruption
FireEye is tracking a set of financially-motivated activity referred
to as TEMP.MixMaster that involves the interactive deployment of Ryuk
ransomware following TrickBot malware infections. These operations
have been active since at least December 2017, with a...
Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
Introduction
FireEye’s Mandiant Incident Response and Intelligence teams have
identified a wave of DNS hijacking that has affected dozens of domains
belonging to government, telecommunications and internet
infrastructure entities across the Middle East and North Africa,
...
Digging Up the Past: Windows Registry Forensics Revisited
Introduction
FireEye consultants frequently utilize Windows registry data when
performing forensic analysis of computer networks as part of incident
response and compromise assessment missions. This can be useful to
discover malicious activity and to determine what...
OVERRULED: Containing a Potentially Destructive Adversary
Introduction
FireEye assesses APT33 may be behind a series of intrusions and
attempted intrusions within the engineering industry. Public reporting
indicates this activity may be related to recent destructive attacks.
FireEye's Managed
Defense has responded...
What are Deep Neural Networks Learning About Malware?
An increasing number of modern antivirus solutions rely on machine
learning (ML) techniques to protect users from malware. While ML-based
approaches, like FireEye Endpoint Security’s MalwareGuard
capability, have done a great job at detecting new threats,...
FLARE Script Series: Automating Objective-C Code Analysis with Emulation
This blog post is the next episode in the
FireEye Labs Advanced Reverse Engineering (FLARE) team Script Series.
Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation
...
Obfuscated Command Line Detection Using Machine Learning
This blog post presents a machine learning (ML) approach to solving
an emerging security problem: detecting obfuscated Windows command
line invocations on endpoints. We start out with an introduction to
this relatively new threat capability, and...
Cmd and Conquer: De-DOSfuscation with flare-qdb
When Daniel
Bohannon released his excellent DOSfuscation
paper, I was fascinated to see how tricks I used as a systems engineer
could help attackers evade detection. I didn’t have much to contribute
to this conversation...
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Introduction
FireEye devices detected
intrusion attempts against multiple industries, including think
tank, law enforcement, media, U.S. military, imagery,
transportation, pharmaceutical, national government, and defense
contracting. The attempts involved a...
FLARE VM Update
FLARE VM is the first of its kind reverse engineering and malware
analysis distribution on Windows platform. Since its introduction
in July 2017, FLARE VM has been continuously trusted and used by
many reverse...
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Overview
In a previous blog post we detailed the TRITON
intrusion that impacted industrial control systems (ICS) at a
critical infrastructure facility. We now track this activity set as
TEMP.Veles. In this blog post we provide...
ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field
Introduction
FireEye iSIGHT Intelligence compiled extensive data from dozens of
ICS security health assessment engagements (ICS Healthcheck) performed
by Mandiant, FireEye's consulting team, to identify the most pervasive
and highest priority security risks in industrial facilities....
Can you really sniff out gas station card skimmers with your phone?
A viral post suggests (wrongly) that card skimmers always use Bluetooth. Anyway, just looking at nearby Bluetooth names doesn't help much...
Canada Helping Australia Determine ‘Full Extent’ of Hack
Canada's electronic eavesdropping agency said Wednesday it is working with Canberra to try to determine the scale of computer hacking on Australia's parliament and political parties just months from an election.
read more
Researcher: Not Hard for a Hacker to Capsize a Ship at Sea
Maritime transport still contributes in an important way to the world’s economy, with on-time shipments influencing everything from commodities availability and spot pricing to the stability of small countries. Unfortunately, capsizing a ship with a cyberattack is a relatively...
30 years in: My, how SC and security have changed
1989. Acid wash jeans, Bon Jovi and the compassionate conservatism of the Reagan Era were actually, unironically popular. The Berlin Wall fell, free elections were held in the then Soviet Congress of Deputies, Vaclev Havel became president of Czechoslavakia,...
WinPot ATM Malware Resembles a Slot Machine
A piece of malware targeting automated teller machines (ATMs) has an interface that looks like a slot machine, Kaspersky Lab reports.
Dubbed WinPot, the malware was initially detected in March last year, targeting the ATMs of a popular vendor to...
