During the analysis of a banking trojan sample targeting Android smartphones, Mandiant identified the repeated use of a string obfuscation mechanism throughout the application code. To fully analyze and understand the application’s functionality, one possibility is to manually decode the…
Tag: All Blog Listing
When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors
Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania. Mandiant attributes this activity…
Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
Mandiant and Ivanti’s investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Following the initial publication on Jan. 10, 2024, Mandiant observed mass attempts to exploit these vulnerabilities by…
Remediation and Hardening Guide for ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
On Feb. 19, 2024, ConnectWise announced two vulnerabilities for their ScreenConnect product affecting (on-premises) versions 23.9.7 and earlier: CVE-2024-1708 – Authentication Bypass Vulnerability (10.0) CVE-2024-1709 – Path Traversal Vulnerability (8.4) These vulnerabilities allow an unauthenticated actor to bypass authentication, and…
Unveiling Mandiant’s Cyber Threat Intelligence Program Maturity Assessment
As part of Google Cloud’s continuing commitment to improving the overall state of cybersecurity for society, today Mandiant is publicly releasing a web-based Intelligence Capability Discovery (ICD) to help commercial and governmental organizations evaluate the maturity of their cyber threat…
Riding Dragons: capa Harnesses Ghidra
capa is the FLARE team’s open source tool that detects capabilities in executable files. Ghidra is an open source software reverse engineering framework created and maintained by the National Security Agency Research Directorate. With the release of capa v7, we have integrated…
Stolen Credentials Make You Question Who Really Has Access
Are your passwords floating around on the dark web? How would you know if they were? It’s more important than ever to be proactive in protecting your organization’s data. One of the best ways to do this is to monitor for…
Dynamic capa: Exploring Executable Run-Time Behavior with the CAPE Sandbox
We are excited to announce that capa v7.0 now identifies program capabilities from dynamic analysis reports generated via the CAPE sandbox. This expansion of capa’s original static analysis approach allows analysts to better triage packed and obfuscated samples, and summarizes (malware) capabilities…
Evolution of UNC4990: Uncovering USB Malware’s Hidden Depths
Mandiant Managed Defense has been tracking UNC4990, an actor who heavily uses USB devices for initial infection. UNC4990 primarily targets users based in Italy and is likely motivated by financial gain. Our research shows this campaign has been ongoing since at least…
Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation
Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed. On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect…
Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns
On January 3, 2024, Mandiant’s X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. Working with X, we were able to regain control of the account and, based on our…
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors
Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign promoting malicious websites themed around unclaimed funds. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and…
The Defender’s Advantage Cyber Snapshot, Issue 5 — Insiders, Applications, and Mitigating Risk
The Defender’s Advantage Cyber Snapshot report provides insights into cyber defense topics of growing importance based on Mandiant frontline observations and real-world experiences. The fifth edition covers a wide range of topics, including the ideology and landscape of insider threats,…
FLOSS for Gophers and Crabs: Extracting Strings from Go and Rust Executables
The evolving landscape of software development has introduced new programming languages like Go and Rust. Binaries compiled from these languages work differently to classic (C/C++) programs and challenge many conventional analysis tools. To support the static analysis of Go and…
Improving FLARE’s Malware Analysis Tools at Google Summer of Code 2023
This summer marked the FLARE team’s first year participating in Google Summer of Code (GSoC). GSoC is a global online mentoring program focused on introducing new contributors to open source software development. GSoC contributors work with mentors to complete 12+ week…
Insider Threat: Hunting and Detecting
The insider threat is a multifaceted challenge that represents a significant cybersecurity risk to organizations today. Some are malicious insiders such as employees looking to steal data or sabotage the organization. Some are unintentional insiders such as employees who make…
The CTI Process Hyperloop: A Practical Implementation of the CTI Process Lifecycle
Implementing the CTI Process Lifecycle as a Hyperloop The Intelligence Hyperloop is an implementation model for the Cyber Threat Intelligence (CTI) Process Lifecycle. The lifecycle is a well-established process describing how intelligence products are driven by planning & direction initially,…
Flare-On 10 Challenge Solutions
Our goal this year was to make the most difficult Flare-On challenge we’ve ever produced to celebrate a full decade of contests. At the time of this writing, there were 219 Flare-On finishers out of 4,767 registered users, which makes…
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
In late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack that leveraged a novel technique for impacting industrial control…
Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966)
Note: This is a developing campaign under active analysis. We will continue to add more indicators, hunting tips, and information to this blog post as needed. On Oct. 10, 2023, Citrix released a security bulletin for a sensitive information disclosure vulnerability…