Collaborate Disseminate
Intrusions Focus on the Engineering and Maritime Sector
Since early 2018, FireEye (including our FireEye as a Service
(FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been
tracking an ongoing wave of intrusions targeting engineering … Continue reading Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S.
Engineering and Maritime Industries
On Feb. 2, 2018, we published a blog
detailing the use of an Adobe Flash zero-day
vulnerability (CVE-2018-4878) by a suspected North Korean cyber
espionage group that we now track as APT37 (Reaper).
Our analysis of APT37’s recen… Continue reading APT37 (Reaper): The Overlooked North Korean Actor
Introduction
FireEye researchers recently observed threat actors abusing
CVE-2017-10271 to deliver various cryptocurrency miners.
CVE-2017-10271 is a known input validation vulnerability that exists
in the WebLogic Server Security Service (WLS Secu… Continue reading CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques
Used Post-Exploitation and Pre-Mining
Social Engineering and Two-Factor Authentication
Social engineering campaigns are a constant threat to businesses
because they target the weakest chain in security: people. A typical
attack would capture a victim’s username and password and s… Continue reading ReelPhish: A Real-Time Two-Factor Phishing Tool
On Jan. 31, KISA (KrCERT) published an advisory
about an Adobe Flash zero-day vulnerability (CVE-2018-4878)
being exploited in the wild. On Feb. 1, Adobe issued an advisory
confirming the vulnerability
exists in Adobe Flash P… Continue reading Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution,
Attack Scenario and Recommendations
Introduction
FireEye researchers recently observed threat actors leveraging
relatively new vulnerabilities in Microsoft Office to spread Zyklon
HTTP malware. Zyklon has been observed in the wild since early 2016
and provides myriad sophisticated … Continue reading Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in
Recent Campaign
Introduction
We’re proud to release a new plug-in for IDA Pro users –
SimplifyGraph – to help automate creation of groups of nodes in the
IDA’s disassembly graph view. Code and binaries are available from the
F… Continue reading FLARE IDA Pro Script Series: Simplifying Graphs in IDA
Less than a week after Microsoft issued a patch for CVE-2017-11882
on Nov. 14, 2017, FireEye observed an attacker using an exploit for
the Microsoft Office vulnerability to target a government organization
in the Middle East. We assess this activ… Continue reading New Targeted Attack in the Middle East by APT34, a Suspected Iranian
Threat Group, Using CVE-2017-11882 Exploit
There is a common annoyance that seems to plague every reverse
engineer and incident responder at some point in their career: wasting
time or energy looking at junk code. Junk code is a sequence of bytes
that you have disassembled that are not ac… Continue reading Recognizing and Avoiding Disassembled Junk
Introduction
TLS (Thread Local Storage) callbacks are provided by the Windows
operating system to support additional initialization and termination
for per-thread data structures.
As previously
reported, malicious TLS callbacks, as an anti-analys… Continue reading Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique
to Achieve Process Injection