CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis
In the previous
installment, we wrote about how string hashing was used in
CARBANAK to manage Windows API resolution throughout the entire
codebase. But the authors used this same string hashing algorithm for
...
CARBANAK Week Part One: A Rare Occurrence
It is very unusual for FLARE to analyze a prolifically-used,
privately-developed backdoor only to later have the source code and
operator tools fall into our laps. Yet this is the extraordinary
circumstance that...
Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic
In early 2019, FireEye Threat Intelligence identified a spear
phishing email targeting government entities in Ukraine. The spear
phishing email included a malicious LNK file with PowerShell script to
download the second-stage payload from the command and...
FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash
Adobe Flash is one of the most exploited software components of the
last decade. Its complexity and ubiquity make it an obvious target for
attackers. Public sources list more than
one
...
TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping
Overview
FireEye can now confirm that we have uncovered and are responding
to an additional intrusion by the attacker behind TRITON at a
different critical infrastructure facility.
In December 2017, FireEye publicly released our...
Churning Out Machine Learning Models: Handling Changes in Model Predictions
Introduction
Machine learning (ML) is playing an increasingly important role in
cyber security. Here at FireEye, we employ ML for a variety of tasks
such as: antivirus,
malicious
PowerShell detection, and...
Finding Weaknesses Before the Attackers Do
This blog post originally appeared as an article in M-Trends 2019.
FireEye Mandiant red team consultants perform objectives-based
assessments that emulate real cyber attacks by advanced and nation
state attackers across the entire attack lifecycle...
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
Summary
Recently, FireEye Managed Defense detected and responded to a FIN6
intrusion at a customer within the engineering industry, which seemed
out of character due to FIN6’s historical targeting of payment card
data. The intent of...
Commando VM: The First of Its Kind Windows Offensive Distribution
For penetration testers looking for a stable and supported
Linux testing platform, the industry agrees that Kali is the go-to
platform. However, if you’d prefer to use Windows as an operating
system, you...
WinRAR Zero-day Abused in Multiple Campaigns
WinRAR, an over 20-year-old file archival utility used by over 500 million
users worldwide, recently acknowledged a long-standing
vulnerability in its code-base. A recently published path traversal
zero-day vulnerability, disclosed in CVE-2018-20250 by Check
Point Research, enables attackers
to specify arbitrary destinations during file extraction of...
SilkETW: Because Free Telemetry is…Free!
In the following example, we will collect process event data from the
Kernel provider and use image loads to identify Mimikatz execution. We
can collect the required data with this command:
SilkETW.exe -t kernel -kk
...
Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing
Introduction
Malware authors attempt to evade detection by executing their
payload without having to write the executable file on the disk. One
of the most commonly seen techniques of this "fileless"
execution is code injection. Rather...
Breaking the Bank: Weakness in Financial AI Applications
Currently, threat actors possess limited access to the technology
required to conduct disruptive operations against financial artificial
intelligence (AI) systems and the risk of this targeting type remains
low. However, there is a high risk of...
Going ATOMIC: Clustering and Associating Attacker Activity at Scale
At FireEye, we work hard to detect, track, and stop attackers. As
part of this work, we learn a great deal of information about how
various attackers operate, including details about commonly used
malware, infrastructure, delivery...
APT40: Examining a China-Nexus Espionage Actor
FireEye is highlighting a cyber espionage operation targeting crucial
technologies and traditional intelligence targets from a China-nexus
state sponsored actor we call APT40. The actor has conducted
operations since at least 2013 in support of China’s...
Stuxnet Family Tree Grows
What a newly discovered missing link to Stuxnet and the now-revived Flame cyber espionage malware add to the narrative of the epic cyber-physical attack.
Another dark web marketplace bites the dust –Wall Street Market
Two major dark web marketplaces for buying illegal products shut down in the span of a month.
Google File Cabinet Plays Host to Malware Payloads
Researchers detect a new drive-by download attack in which Google Sites' file cabinet template is a delivery vehicle for malware.
Demonstration Showcase Brings DevOps to Interop19
Attendees will learn how orchestration and automation can be a part of network operations and security, even at smaller companies.
What Home Buying Can Teach Us About Continuous Monitoring
Companies have been brainwashed to solely rely on hiring major auditing companies to help monitor and audit their vendors’ security. Assessments from these traditional auditors are typically an annual point-in-time affair. With technology advancing much more frequently, this outdated...
