Shining a Light on DARKSIDE Ransomware Operations
Since initially surfacing in August 2020, the creators of DARKSIDE
ransomware and their affiliates have launched a global crime spree
affecting organizations in more than 15 countries and multiple
industry verticals. Like many of their peers,...
The UNC2529 Triple Double: A Trifecta Phishing Campaign
In December 2020, Mandiant observed a widespread, global phishing
campaign targeting numerous organizations across an array of
industries. Mandiant tracks this threat actor as UNC2529.
Based on the considerable infrastructure employed, tailored phishing
lures and...
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Mandiant has observed an aggressive financially motivated group,
UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to
a patch being available and deploying sophisticated malware previously
reported by other vendors as SOMBRAT. Mandiant has linked the...
Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity
In July 2020, Mandiant
Threat Intelligence released a
public report detailing an ongoing influence campaign we named
“Ghostwriter.” Ghostwriter is a cyber-enabled influence campaign which
primarily targets audiences in Lithuania, Latvia...
Abusing Replication: Stealing AD FS Secrets Over the Network
Organizations are increasingly adopting cloud-based services such as
Microsoft 365 to host applications and data. Sophisticated threat
actors are catching on and Mandiant has observed an increased focus on
long-term persistent access to Microsoft 365 as...
Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise
In March 2021, Mandiant Managed Defense identified three zero-day
vulnerabilities in SonicWall’s Email Security (ES) product that were
being exploited in the wild. These vulnerabilities were executed in
conjunction to obtain administrative access and code execution...
Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Executive Summary
Mandiant recently responded to multiple security incidents
involving compromises of Pulse Secure VPN appliances. This
blog post examines multiple, related techniques for bypassing single
and multifactor authentication...
Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure
High-profile security incidents in the past decade have brought
increased scrutiny to cyber security for operational technology (OT).
However, there is a continued perception across critical
infrastructure organizations that OT networks are isolated from public
...
M-Trends 2021: A View From the Front Lines
We are thrilled to launch
M-Trends
2021, the 12th edition of our annual FireEye
Mandiant publication. The past year has been unique, as we witnessed
an unprecedented combination of global events. Business...
Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
In this blog post we will describe: How
attackers use the Background Intelligent Transfer Service
...
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Beginning in January 2021, Mandiant Managed Defense observed multiple
instances of abuse of Microsoft Exchange Server within at least one
client environment. The observed activity included creation of web
shells for persistent access, remote code execution,...
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
Executive Summary
In August 2020, a U.S.-based entity uploaded a new backdoor
that we have named SUNSHUTTLE to a public malware repository.
SUNSHUTTLE is a second-stage backdoor written in GoLang that
...
Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory
Continuing our discussion of image
parsing vulnerabilities in Windows, we take a look at a
comparatively less popular vulnerability class: uninitialized memory.
In this post, we will look at Windows’ inbuilt image
parsers—specifically...
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Mandiant Advanced Practices (AP) closely tracks the shifting tactics,
techniques, and procedures (TTPs) of financially motivated groups who
severely disrupt organizations with ransomware. In May 2020, FireEye
released a blog
post detailing intrusion...
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
Starting in mid-December 2020, malicious actors that Mandiant tracks
as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s
legacy File Transfer Appliance (FTA) to install a newly discovered web
shell named DEWMODE. The motivation of UNC2546 was...
Blessed are the cryptographers, labelling them criminal enablers is just foolish
Preserving privacy is hard. I know because when I tried, I quickly learned not to play with weapons Column Nearly a decade ago I decided to try my hand as a cryptographer. It went about as well as you...
Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations
The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data ransom demands are not met.
"The...
NSA and ODNI analyze potential risks to 5G networks
U.S. Intelligence agencies warn of weaknesses in 5G networks that could be exploited by crooks and nation-state actors for intelligence gathering.
The U.S. National Security Agency (NSA), along with the DHS Cybersecurity and Infrastructure Security Agency (CISA), and the Office...
Alert: Hackers Exploit Adobe Reader 0-Day Vulnerability in the Wild
Adobe has released Patch Tuesday updates for the month of May with fixes for multiple vulnerabilities spanning 12 different products, including a zero-day flaw affecting Adobe Reader that's actively exploited in the wild.
The list of updated applications includes Adobe Experience Manager,...
Beijing twirls ban-hammer at 84 more apps it says need to stop slurping excess data
Online lending apps and more given fifteen days to ‘rectify’ behaviour China’s Central Cyberspace Affairs Commission has named 84 apps it says breach local privacy laws and given their developers 15 days to “rectify” their code.…
