Hard Pass: Declining APT34’s Invite to Join Their Professional Network
Background
With increasing geopolitical tensions in the Middle East, we expect
Iran to significantly increase the volume and scope of its cyber
espionage campaigns. Iran has a critical need for strategic
intelligence and is likely to...
Hunting COM Objects (Part Two)
Background
As a follow up to Part
One in this blog series on COM object hunting, this post will
talk about taking the COM object hunting methodology deeper by looking
at interesting COM object...
Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities
FireEye Labs recently observed an attack against the government
sector in Central Asia. The attack involved the new HAWKBALL backdoor
being delivered via well-known Microsoft Office vulnerabilities
CVE-2017-11882 and CVE-2018-0802.
HAWKBALL is a backdoor that attackers...
Hunting COM Objects
COM objects have recently been used by penetration testers, Red
Teams, and malicious actors to perform lateral movement. COM objects
were studied by several other researchers in the past, including Matt
Nelson (enigma0x3), who published a...
Framing the Problem: Cyber Threats and Elections
This year, Canada, multiple European nations, and others will host
high profile elections. The topic of cyber-enabled threats disrupting
and targeting elections has become an increasing area of awareness for
governments and citizens globally. To develop...
Learning to Rank Strings Output for Speedier Malware Analysis
Reverse engineers, forensic investigators, and incident responders
have an arsenal of tools at their disposal to dissect malicious
software binaries. When performing malware analysis, they successively
apply these tools in order to gradually gather clues about...
Network of Social Media Accounts Impersonates U.S. Political Candidates, Leverages U.S. and Israeli Media in Support of Iranian Interests
In August 2018, FireEye Threat Intelligence released a report
exposing what we assessed to be an Iranian
influence operation leveraging networks of inauthentic news
sites and social media accounts aimed at audiences around the...
CARBANAK Week Part Four: The CARBANAK Desktop Video Player
Part
One, Part
Two and Part
Three of CARBANAK Week are behind us. In this final blog post, we
dive into one of the more interesting tools that is part...
CARBANAK Week Part Three: Behind the CARBANAK Backdoor
We covered a lot of ground in Part
One and Part
Two of our CARBANAK Week blog series. Now let's take a look back
at some of our previous analysis and see how it holds up.
In June...
CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis
In the previous
installment, we wrote about how string hashing was used in
CARBANAK to manage Windows API resolution throughout the entire
codebase. But the authors used this same string hashing algorithm for
...
CARBANAK Week Part One: A Rare Occurrence
It is very unusual for FLARE to analyze a prolifically-used,
privately-developed backdoor only to later have the source code and
operator tools fall into our laps. Yet this is the extraordinary
circumstance that...
Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic
In early 2019, FireEye Threat Intelligence identified a spear
phishing email targeting government entities in Ukraine. The spear
phishing email included a malicious LNK file with PowerShell script to
download the second-stage payload from the command and...
FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash
Adobe Flash is one of the most exploited software components of the
last decade. Its complexity and ubiquity make it an obvious target for
attackers. Public sources list more than
one
...
TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping
Overview
FireEye can now confirm that we have uncovered and are responding
to an additional intrusion by the attacker behind TRITON at a
different critical infrastructure facility.
In December 2017, FireEye publicly released our...
Churning Out Machine Learning Models: Handling Changes in Model Predictions
Introduction
Machine learning (ML) is playing an increasingly important role in
cyber security. Here at FireEye, we employ ML for a variety of tasks
such as: antivirus,
malicious
PowerShell detection, and...
Cisco Patches Critical Flaw in Vision Dynamic Signage Director
Cisco this week released a security patch for the Vision Dynamic Signage Director, to address a Critical vulnerability that could allow attackers to execute arbitrary actions on the local system.
Tracked as CVE-2019-1917, the vulnerability was found in the REST...
The Great Hack: the film that goes behind the scenes of the Facebook data scandal
This week, a Netflix documentary on Cambridge Analytica sheds light on one of the most complex scandals of our time. Carole Cadwalladr, who broke the story and appears in the film, looks at the fallout – and finds ‘surveillance...
Scotland Yard Twitter and Emails Hacked
London's Metropolitan Police apologised Saturday after its Twitter, emails and news pages were targeted by hackers and began pumping out a series of bizarre messages.
read more
Browser Extensions Scraped Data From Millions of People
Slack passwords, NSO spyware, and more of the week's top security news.
Hackers breach FSB contractor, expose Tor deanonymization project and more
SyTech, the hacked company, was working on research projects for the FSB, Russia's intelligence service.
