Announcing the Fifth Annual Flare-On Challenge
The FireEye Labs Advanced Reverse Engineering (FLARE) team’s annual
reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24,
2018. This is a CTF-style challenge for all active and aspiring
reverse engineers, malware analysts,...
BIOS Boots What? Finding Evil in Boot Code at Scale!
The second issue is that reverse engineering all boot records is
impractical. Given the job of determining if a single system is
infected with a bootkit, a malware analyst could acquire a disk image
and then...
On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation
On Aug. 1, 2018, the United
States District Attorney’s Office for the Western District of
Washington unsealed indictments and announced the arrests of three
individuals within the leadership ranks of a criminal organization
...
Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign
Campaign Details
In September 2017, FireEye identified the FELIXROOT backdoor as a
payload in a campaign targeting Ukrainians and reported it to our
intelligence customers. The campaign involved malicious Ukrainian bank
documents, which contained a macro...
How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners
Introduction
Cyber criminals tend to favor cryptocurrencies because they provide
a certain level of anonymity and can be easily monetized. This interest
has increased in recent years, stemming far beyond the desire to
simply...
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally
Introduction
FireEye has examined a range of TEMP.Periscope activity revealing
extensive interest in Cambodia's politics, with active compromises of
multiple Cambodian entities related to the country’s electoral system.
This includes compromises of Cambodian government entities charged
...
Malicious PowerShell Detection via Machine Learning
Introduction
Cyber security vendors and researchers have reported for years how
PowerShell is being used by cyber threat actors to install
backdoors, execute
malicious code, and otherwise achieve their objectives within
enterprises. Security...
RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique
Introduction
Through FireEye Dynamic Threat Intelligence (DTI), we observed RIG
Exploit Kit (EK) delivering a dropper that leverages the PROPagate
injection technique to inject code that downloads and executes a
Monero miner (similar activity...
Bring Your Own Land (BYOL) – A Novel Red Teaming Technique
Introduction
One of most significant recent developments in sophisticated
offensive operations is the use of “Living off the Land” (LotL)
techniques by attackers. These techniques leverage legitimate tools
present on the system, such as the PowerShell...
A Totally Tubular Treatise on TRITON and TriStation
Introduction
In December 2017, FireEye's Mandiant discussed an
incident response involving the TRITON
framework. The TRITON attack and many of the publicly discussed
ICS intrusions involved routine techniques where the threat actors
used only what...
Reverse Engineering the Analyst: Building Machine Learning Models for the SOC
Many cyber incidents can be traced back to an original alert that was
either missed or ignored by the Security Operations Center (SOC) or
Incident Response (IR) team. While most analysts and SOCs are vigilant
and...
Remote Authentication GeoFeasibility Tool – GeoLogonalyzer
Users have long needed to access important resources such as virtual
private networks (VPNs), web applications, and mail servers from
anywhere in the world at any time. While the ability to access
resources from anywhere is...
Shining a Light on OAuth Abuse with PwnAuth
Introduction
Spear phishing attacks are seen as one of the biggest cyber threats
to an organization. It only takes one employee to enter their
credentials or run some malware for an entire organization to become
compromised....
A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan
As discussed in previous
blogs, exploit kit activity has been on the decline since the
latter half of 2016. However, we do still periodically observe
significant developments in this space, and we have been observing
...
Rooting a Logitech Harmony Hub: Improving Security in Today’s IoT World
Introduction
FireEye’s Mandiant Red Team recently discovered vulnerabilities
present on the Logitech Harmony Hub Internet of Things (IoT) device
that could potentially be exploited, resulting in root access to the
device via SSH. The Harmony Hub...
Mozilla-endorsed security plug-in accused of tracking users
Web Security says there's nothing nefarious to its URL collection A security plug-in for the Firefox browser is under fire after users discovered it was collecting and uploading their online activity.…
Making money mining Coinhive? Yeah, you and nine other people
10 users controlling the bulk of cryptocoin generator funds Mining internet currency on websites with Coinhive scripts is a lucrative endeavor, but only for a handful of people.…
Google Launches Searchable Database on US Political Ads
The new site offers an eye-opening view of how online political ad spending through Google can work. It offers a breakdown on individual ad campaigns, including a catalog of what ads were served and to which demographic groups.
Intel Reveals New Spectre-Like Vulnerability
A new side-channel speculative execution vulnerability takes aim at a different part of the CPU architecture than similar vulnerabilities that came before it.
Miller & Valasek: Security Stakes Higher for Autonomous Vehicles
Car hacking specialists shift gears and work on car defense in their latest gigs - at GM subsidiary Cruise Automation.
