One of Google Cloud’s major missions is to arm security professionals with modern tools to help them defend against the latest threats. Part of that mission involves moving closer to a more autonomous, adaptive approach in threat intelligence automation. In…
Category: Threat Intelligence
Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation
Matthijs Gielen, Jay Christiansen < div class=”block-paragraph_advanced”> Background New solutions, old problems. Artificial intelligence (AI) and large language models (LLMs) are here to signal a new day in the cybersecurity world, but what does that mean for us—the attackers and…
Emerging Threats: Cybersecurity Forecast 2025
Every November, we start sharing forward-looking insights on threats and other cybersecurity topics to help organizations and defenders prepare for the year ahead. The Cybersecurity Forecast 2025 report, available today, plays a big role in helping us accomplish this mission.…
Flare-On 11 Challenge Solutions
Written by: Nick Harbour The eleventh Flare-On challenge is now over! This year proved to be a tough challenge for the over 5,300 players, with only 275 completing all 10 stages. We had a blast making this contest and are…
(In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments
Written by: Thibault Van Geluwe de Berlaere, Karl Madden, Corné de Jong < div class=”block-paragraph_advanced”>The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved…
Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives
In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named “Civil Defense”. “Civil Defense”…
Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)
Written by: Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed, Jared Wilson < div class=”block-paragraph_advanced”> Summary In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in…
How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends
Written by: Casey Charrier, Robert Weiner < div class=”block-paragraph_advanced”>Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days…
capa Explorer Web: A Web-Based Tool for Program Capability Analysis
Written by: Soufiane Fariss, Willi Ballenthin, Mike Hunhoff, Genwei Jiang, Tina Johnson, Moritz Raabe capa, developed by Mandiant’s FLARE team, is a reverse engineering tool that automates the identification of program capabilities. In this blog post we introduce capa Explorer…
LummaC2: Obfuscation Through Indirect Control Flow
Written by: Nino Isakovic, Chuong Dong Overview This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the…
Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
Written by: Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, Alice Revelli Strategic Overview of IT Workers Since 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People’s Republic of North Korea…
UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Written by: Stav Shulman, Matan Mimran, Sarah Bock, Mark Lechtik < div class=”block-paragraph_advanced”> Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature…
An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
Written by: Marco Galli, Diana Ion, Yash Gupta, Adrian Hernandez, Ana Martinez Gomez, Jon Daniels, Christopher Gardner < div class=”block-paragraph_advanced”> Introduction In June 2024, Mandiant Managed Defense identified a cyber espionage group suspected to have a North Korea nexus, tracked…
Announcing the 11th Annual Flare-On Challenge
Written by: Nick Harbour When it’s pumpkin spice season, that means it’s also Flare-On Challenge season. The Flare-On Challenge is a reverse engineering contest held every year by the FLARE team, and this marks its eleventh year running. It draws…
Protecting Multi-Cloud Resources in the Era of Modern Cloud-Based Cyberattacks
Written by: Rupa Mukherjee, Jon Sabberton In the era of multi-cloud adoption, where organizations leverage diverse cloud platforms to optimize their operations, a new wave of security challenges have emerged. The expansion of attack surfaces beyond traditional on-premises environments, coupled…
Insights on Cyber Threats Targeting Users and Enterprises in Mexico
Written by: Aurora Blum, Kelli Vanderlee Like many countries across the globe, Mexico faces a cyber threat landscape made up of a complex interplay of global and local threats, with threat actors carrying out attempted intrusions into critical sectors of…
DeFied Expectations — Examining Web3 Heists
Written by: Robert Wallace, Blas Kojusner, Joseph Dobson Where money goes, crime follows. The rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (DeFi), where the heists are larger and more numerous than anything…
A Measure of Motive: How Attackers Weaponize Digital Analytics Tools
Adrian McCabe, Ryan Tomcik, Stephen Clement < div class=”block-paragraph_advanced”> Introduction Digital analytics tools are vital components of the vast domain that is modern cyberspace. From system administrators managing traffic load balancers to marketers and advertisers working to deliver relevant content…
I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation
Written by: Ofir Rozmann, Asli Koksal, Sarah Bock Today Mandiant is releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in…
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware
Written by: Aaron Lee, Praveeth DSouza TL;DR Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. Overview Mandiant Managed Defense…
“WireServing” Up Credentials: Escalating Privileges in Azure Kubernetes Services
Written by: Nick McClendon, Daniel McNamara, Jacob Paullus < div class=”block-paragraph_advanced”> Executive Summary Mandiant disclosed this vulnerability to Microsoft via the Microsoft Security Response Center (MSRC) vulnerability disclosure program, and Microsoft has fixed the underlying issue. An attacker with…
Hacking Beyond .com — Enumerating Private TLDs
Written by: Idan Ron < div class=”block-paragraph_advanced”> Background My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates…
Hacking Beyond.com — Enumerating Private TLDs
Written by: Idan Ron < div class=”block-paragraph_advanced”> Background My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates…
UNC4393 Goes Gently into the SILENTNIGHT
Written by: Josh Murchie, Ashley Pearson, Joseph Pisano, Jake Nicastro, Joshua Shilko, Raymond Leong Overview In mid-2022, Mandiant’s Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant’s…
APT45: North Korea’s Digital Military Machine
Written by: Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart Executive Summary APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009. APT45 has gradually expanded into…
Whose Voice Is It Anyway? AI-Powered Voice Spoofing for Next-Gen Vishing Attacks
Written by: Emily Astranova, Pascal Issa < div class=”block-paragraph_advanced”> Executive Summary AI-powered voice cloning can now mimic human speech with uncanny precision, creating for more realistic phishing schemes. According to news reports, scammers have leveraged voice cloning and deepfakes…
APT41 Has Arisen From the DUST
Written by: Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore < div class=”block-paragraph_advanced”> Executive Summary In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent…
AI-Powered Learning: Your NIST NICE Prompt Library (Built with Google Gemini)
Written by: Jake Liefer < div class=”block-paragraph_advanced”> In the ever-evolving landscape of cybersecurity, staying ahead of threats demands continuous learning and skill development. The NIST NICE framework provides a roadmap, but mastering its extensive tasks, knowledge, and skills (TKSs)…
Scaling Up Malware Analysis with Gemini 1.5 Flash
Written by:Bernardo Quintero, Founder of VirusTotal and Security Director, Google Cloud SecurityAlex Berry, Security Manager of the Mandiant FLARE Team, Google Cloud SecurityIlfak Guilfanov, author of IDA Pro and CTO, Hex-RaysVijay Bolina, Chief Information Security Officer & Head of Cybersecurity Research,…
Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO
Written by: John Hultquist < div class=”block-paragraph_advanced”> As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges—the cyber threat. The Alliance faces…
Global Revival of Hacktivism Requires Increased Vigilance from Defenders
Written by: Daniel Kapellmann Zafra, Alden Wahlstrom, James Sadowski, Josh Palatucci, Davyn Baumann, Jose Nazario Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after…
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
Written by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi < div class=”block-paragraph_advanced”> Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected…
UNC3944 Targets SaaS Applications
< div class=”block-paragraph_advanced”> Introduction UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of “0ktapus,” “Octo Tempest,” “Scatter Swine,” and “Scattered Spider,” and has been observed adapting its tactics to include data theft from software-as-a-service…
Insights on Cyber Threats Targeting Users and Enterprises in Brazil
Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals,…
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Introduction Through the course of our incident response engagements and threat intelligence collections, Mandiant has identified a threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion. Snowflake is a multi-cloud data warehousing platform used…
Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics
Written by: Michelle Cantos, Jamie Collier < div class=”block-paragraph_advanced”> Executive Summary Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and…
Ransomware Rebounds: Extortion Threat Surges in 2023, Attackers Rely on Publicly Available and Legitimate Tools
Written by: Bavi Sadayappan, Zach Riddle, Jordan Nuce, Joshua Shilko, Jeremy Kennelly < div class=”block-paragraph_advanced”> A version of this blog post was published to the Mandiant Advantage portal on April 18, 2024. Executive Summary In 2023, Mandiant observed an…
IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders
Written by: Michael Raggi Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting…
Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets
Written by: Mark Swindle < div class=”block-paragraph_advanced”> While investigating recent exposures of Amazon Web Services (AWS) secrets, Mandiant identified a scenario in which client-specific secrets have been leaked from Atlassian’s code repository tool, Bitbucket, and leveraged by threat actors…