capa 2.0: Better, Faster, Stronger
We are excited to announce version 2.0 of our open-source tool called
capa. capa automatically identifies capabilities in programs using an
extensible rule set. The tool supports both malware triage and deep
dive reverse engineering. If...
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one
victim through a Trojanized software installer downloaded from a
legitimate website. While this victim organization detected the
intrusion, engaged Mandiant for incident response, and avoided
ransomware,...
Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices
On April 20, 2021, Mandiant published detailed results of our
investigations into compromised
Pulse Secure devices by suspected Chinese espionage operators.
This blog post is intended to provide an update on our findings, give
...
Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises
Attacks on control processes supported by operational technology (OT)
are often perceived as necessarily complex. This is because disrupting
or modifying a control process to cause a predictable effect is often
quite difficult and can require...
Shining a Light on DARKSIDE Ransomware Operations
Update (May 14): Mandiant has observed multiple actors cite a May
13 announcement that appeared to be shared with DARKSIDE RaaS
affiliates by the operators of the service. This announcement stated
...
The UNC2529 Triple Double: A Trifecta Phishing Campaign
In December 2020, Mandiant observed a widespread, global phishing
campaign targeting numerous organizations across an array of
industries. Mandiant tracks this threat actor as UNC2529.
Based on the considerable infrastructure employed, tailored phishing
lures and...
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Mandiant has observed an aggressive financially motivated group,
UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to
a patch being available and deploying sophisticated malware previously
reported by other vendors as SOMBRAT. Mandiant has linked the...
Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity
In July 2020, Mandiant
Threat Intelligence released a
public report detailing an ongoing influence campaign we named
“Ghostwriter.” Ghostwriter is a cyber-enabled influence campaign which
primarily targets audiences in Lithuania, Latvia...
Abusing Replication: Stealing AD FS Secrets Over the Network
Organizations are increasingly adopting cloud-based services such as
Microsoft 365 to host applications and data. Sophisticated threat
actors are catching on and Mandiant has observed an increased focus on
long-term persistent access to Microsoft 365 as...
Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise
In March 2021, Mandiant Managed Defense identified three zero-day
vulnerabilities in SonicWall’s Email Security (ES) product that were
being exploited in the wild. These vulnerabilities were executed in
conjunction to obtain administrative access and code execution...
Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Executive Summary
Mandiant recently responded to multiple security incidents
involving compromises of Pulse Secure VPN appliances. This
blog post examines multiple, related techniques for bypassing single
and multifactor authentication...
Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure
High-profile security incidents in the past decade have brought
increased scrutiny to cyber security for operational technology (OT).
However, there is a continued perception across critical
infrastructure organizations that OT networks are isolated from public
...
M-Trends 2021: A View From the Front Lines
We are thrilled to launch
M-Trends
2021, the 12th edition of our annual FireEye
Mandiant publication. The past year has been unique, as we witnessed
an unprecedented combination of global events. Business...
Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
In this blog post we will describe: How
attackers use the Background Intelligent Transfer Service
...
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Beginning in January 2021, Mandiant Managed Defense observed multiple
instances of abuse of Microsoft Exchange Server within at least one
client environment. The observed activity included creation of web
shells for persistent access, remote code execution,...
Cybersecurity professionals: Positive reinforcement works wonders with users
The blame game is not working; experts suggest using positive reinforcement to improve employee attitude and performance.
Google Patches High-Risk Android Security Flaws
Google this week pushed out a security-themed Android update with fixes for more than 30 security flaws that expose mobile users to a range of malicious hacker attacks.
The latest Android update provides documentation on 33 security bugs, some serious...
Awful transaction and timing: AT&T finally ditches DirecTV
Enlarge (credit: Getty Images | Ronald Martinez)
AT&T has completed its spinoff of DirecTV after six years of mismanagement in which nearly 10 million customers ditched the company's pay-TV services.
AT&T bought DirecTV for $49 billion ($67 billion including...
Mismanagement Driving Cybersecurity Skills Gap: Research
“To some extent, this data supports the theory that the cybersecurity skills shortage is related to mismanagement rather than a dearth of qualified candidates or advanced skills.”
read more
Linux Kernel Security Done Right
Posted by Kees Cook, Software Engineer, Google Open Source Security TeamTo borrow from an excellent analogy between the modern computer ecosystem and the US automotive industry of the 1960s, the Linux kernel runs well: when driving down the highway,...
