Tuesday, December 11, 2018
FireEye

Obfuscated Command Line Detection Using Machine Learning

This blog post presents a machine learning (ML) approach to solving an emerging security problem: detecting obfuscated Windows command line invocations on endpoints. We start out with an introduction to this relatively new threat capability, and...
FireEye

Cmd and Conquer: De-DOSfuscation with flare-qdb

When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation...
FireEye

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

Introduction FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a...
FireEye

FLARE VM Update

FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many reverse...
FireEye

TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

Overview In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems (ICS) at a critical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide...
FireEye

ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

Introduction FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements (ICS Healthcheck) performed by Mandiant, FireEye's consulting team, to identify the most pervasive and highest priority security risks in industrial facilities....
FireEye

2018 Flare-On Challenge Solutions

We are pleased to announce the conclusion of the fifth annual Flare-On Challenge. The numbers are in and we can safely say that this was by far the most difficult challenge we’ve ever hosted. We plan to ...
FireEye

FLARE Script Series: Reverse Engineering WebAssembly Modules Using the idawasm IDA Pro Plugin

Introduction This post continues the FireEye Labs Advanced Reverse Engineering (FLARE) script series. Here, we introduce idawasm, an IDA Pro plugin that provides a loader and processor modules for WebAssembly modules. idawasm works on all operating...
FireEye

APT38: Details on New North Korean Regime-Backed Threat Group

Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly...
FireEye

Increased Use of a Delphi Packer to Evade Malware Classification

Introduction The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools. Evasion of classification and detection is an arms...
FireEye

Click It Up: Targeting Local Government Payment Portals

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow...
FireEye

APT10 Targeting Japanese Corporations Using Updated TTPs

Introduction In July 2018, FireEye devices detected and blocked what appears to be APT10 (Menupass) activity targeting the Japanese media sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they...
FireEye

Fallout Exploit Kit Used in Malvertising Campaign to Deliver Gandcrab Ransomware

Towards the end of August 2018, FireEye identified a new exploit kit (EK) that was being served up as part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other...
FireEye

Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East

FireEye has identified a suspected influence operation that appears to originate from Iran aimed at audiences in the U.S., U.K., Latin America, and the Middle East. This operation is leveraging a network of inauthentic news sites...
FireEye

Announcing the Fifth Annual Flare-On Challenge

The FireEye Labs Advanced Reverse Engineering (FLARE) team’s annual reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24, 2018. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts,...
Computerworld

And that was actually the CLEAN version!

It's more than a few years back, and this oilfield services company is implementing a new email filter, says a pilot fish working there."It was part of an email security product," fish says. "The filter could identify emails containing...

Review: How StackRox protects containers

With the rise of cloud computing and later DevOps, containerization has never been more popular. But cybersecurity has yet to fully catch up. Even security applications designed to work natively in the cloud have trouble protecting the most popular...

Dark web goldmine busted by Europol

What’s the safest way to buy counterfeit banknotes? Not on the dark web market, as 235 people have just discovered to their cost.
Security Affairs

Google will shut down consumer version of Google+ earlier due to a bug

Google announced it will close the consumer version of Google+ before than originally planned due to the discovery of a new security flaw. Google will close the consumer version of Google+ in April, four months earlier than planned. According to G...

Teen SWATter who had 400 schools evacuated lands 3 years in jail

George Duke-Cohan is the British teen who posed as a worried father whose daughter had called him mid-flight during a hijacking.