What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-06-18 14:00:00 | Couchée et secrète: Découvrir les opérations d'espionnage UNC3886 Cloaked and Covert: Uncovering UNC3886 Espionage Operations (lien direct) |
Written by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi
Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines. Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant\'s initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated. This blog post discusses UNC3886\'s intrusion path and subsequent actions that were performed in the environments after compromising the guest virtual machines to achieve access to the critical systems, including: The use of publicly available rootkits for long-term persistence Deployment of malware that leveraged trusted third-party services for command and control (C2 or C&C) Subverting access and collecting credentials with Secure Shell (SSH) backdoors Extracting credentials from TACACS+ authentication using custom malware Mandiant has published detection and hardening guidelines for ESXi hypervisors and attack techniques employed by UNC3886. For Google SecOps Enterprise+ customer |
Malware Tool Vulnerability Threat Cloud Technical | APT 41 | ★★★ |
|
2024-06-13 14:00:00 | UNC3944 cible les applications SaaS UNC3944 Targets SaaS Applications (lien direct) |
Introduction
UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider," and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, UNC3944 has leveraged underground communities like Telegram to acquire tools, services, and support to enhance their operations.
Initially, UNC3944 focused on credential harvesting and SIM swapping attacks in their operations, eventually migrating to ransomware and data theft extortion. However, recently, UNC3944 has shifted to primarily data theft extortion without the use of ransomware. This change in objectives has precipitated an expansion of targeted industries and organizations as evidenced by Mandiant investigations.
Evidence also suggests UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.
This blog post aims to spotlight UNC3944\'s attacks against SaaS applications, providing insights into the group\'s evolving TTPs in line with its shifting mission objectives.
Tactics, Techniques, and Procedures (TTPs)
Figure 1: UNC3944 attack lifecycle
Mandiant has observed UNC3944 in multiple engagements leveraging social engineering techniques against corporate help desks to gain initial access to existing privileged accounts. Mandiant has analyzed several forensic recordings of these call center attacks, and of the observed r |
Ransomware Tool Threat Cloud | ★★★ | |
|
2024-06-12 14:00:00 | Aperçu sur les cyber-menaces ciblant les utilisateurs et les entreprises au Brésil Insights on Cyber Threats Targeting Users and Enterprises in Brazil (lien direct) |
Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno
Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian society. Many of the cyber espionage threat actors that are prolific in campaigns across the globe are also active in carrying out attempted intrusions into critical sectors of Brazilian society. Brazil also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. At the same time, the threat landscape in Brazil is shaped by a domestic cybercriminal market, where threat actors coordinate to carry out account takeovers, conduct carding and fraud, deploy banking malware and facilitate other cyber threats targeting Brazilians. The rise of the Global South, with Brazil at the forefront, marks a significant shift in the geopolitical landscape; one that extends into the cyber realm. As Brazil\'s influence grows, so does its digital footprint, making it an increasingly attractive target for cyber threats originating from both global and domestic actors. This blog post brings together Google\'s collective understanding of the Brazilian threat landscape, combining insights from Google\'s Threat Analysis Group (TAG) and Mandiant\'s frontline intelligence. As Brazil\'s economic and geopolitical role in global affairs continues to rise, threat actors from an array of motivations will further seek opportunities to exploit the digital infrastructure that Brazilians rely upon across all aspects of society. By sharing our global perspective, we hope to enable greater resiliency in mitigating these threats. Google uses the results of our research to improve the safety and security of our products, making them secure by default. Chrome OS has built-in and proactive security to protect from ransomware, and there have been no reported ransomware attacks ever on any business, education, or consumer Chrome OS device. Google security teams continuously monitor for new threat activity, and all identified websites and domains are added to Safe Browsing to protect users from further exploitation. We deploy and constantly update Android detections to protect users\' devices and prevent malicious actors from publishing malware to the Google Play Store. We send targeted Gmail and Workspace users government-backed attacker alerts, notifying them of the activity and encouraging potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated. Cyber Espionage Operations Targeting Brazil Brazil\'s status as a globally influential power and the largest economy in South America have drawn attention from c |
Ransomware Spam Malware Tool Vulnerability Threat Mobile Medical Cloud Technical | APT 28 | ★★ |
|
2024-06-10 14:00:00 | UNC5537 cible les instances des clients de Snowflake pour le vol de données et l'extorsion UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion (lien direct) |
Introduction Through the course of our incident response engagements and threat intelligence collections, Mandiant has identified a threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion. Snowflake is a multi-cloud data warehousing platform used to store and analyze large amounts of structured and unstructured data. Mandiant tracks this cluster of activity as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims. Mandiant\'s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake\'s enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials. In April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim\'s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization\'s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer\'s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled. On May 22, 2024 upon obtaining additional intelligence identifying a broader campaign targeting additional Snowflake customer instances, Mandiant immediately contacted Snowflake and began notifying potential victims through our Victim Notification Program. To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations. Snowflake\'s Customer Support has been directly engaged with these customers to ensure the safety of their accounts and data. Mandiant and Snowflake have been conducting a joint investigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies. On May 30, 2024, Snowflake published detailed detection and hardening guidance to Snowflake customers. | Malware Tool Threat Legislation Cloud | ★★ | |
|
2024-06-05 14:00:00 | Phishing pour l'or: cyber-menaces auxquelles sont confrontés les Jeux olympiques de Paris 2024 Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics (lien direct) |
Written by: Michelle Cantos, Jamie Collier
Executive Summary Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations. Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event. Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk. To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks. The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience. Introduction The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons: Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending. Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified. Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations. Financially-motivated actors are likely to target the Olympics in v |
Ransomware Malware Threat Studies Mobile Cloud Technical | APT 15 APT 31 APT 42 | ★★ |
|
2024-06-03 14:00:00 | Ransomwares rebonds: la menace d'extorsion augmente en 2023, les attaquants s'appuient sur les outils accessibles au public et légitimes Ransomware Rebounds: Extortion Threat Surges in 2023, Attackers Rely on Publicly Available and Legitimate Tools (lien direct) |
Written by: Bavi Sadayappan, Zach Riddle, Jordan Nuce, Joshua Shilko, Jeremy Kennelly
A version of this blog post was published to the Mandiant Advantage portal on April 18, 2024. Executive Summary In 2023, Mandiant observed an increase in ransomware activity as compared to 2022, based on a significant rise in posts on data leak sites and a moderate increase in Mandiant-led ransomware investigations. Mandiant observed an increase in the proportion of new ransomware variants compared to new families, with around one third of new families observed in 2023 being variants of previously identified ransomware families. Actors engaged in the post-compromise deployment of ransomware continue to predominately rely on commercially available and legitimate tools to facilitate their intrusion operations. Notably, we continue to observe a decline in the use of Cobalt Strike BEACON, and a corresponding increase in the use of legitimate remote access tools. In almost one third of incidents, ransomware was deployed within 48 hours of initial attacker access. Seventy-six percent (76%) of ransomware deployments took place outside of work hours, with the majority occurring in the early morning. Mandiant\'s recommendations to assist in addressing the threat posed by ransomware are captured in our Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints white paper. Introduction Threat actors have remained driven to conduct ransomware operations due to their profitability, particularly in comparison to other types of cyber crime. Mandiant observed an increase in ransomware activity in 2023 compared to 2022, including a 75% increase in posts on data leak sites (DLS), and an over 20% increase in Mandiant-led investigations involving ransomware from 2022 to 2023 (Figure 1). These observations are consistent with other reporting, which shows a record-breaking more than $1 billion USD paid to ransomware attackers in 2023. This illustrates that the slight dip in extortion activity observed in 2022 was an anomaly, potentially due to factors such as the invasion of Ukraine and the leaked CONTI chats. The current resurgence in extortion activity is likely driven by various factors, including the resettling of the cyber criminal ecosystem following a tumultuous year in 2022, new entrants, and new partnerships and ransomware service offerings by actors previously associated with prolific groups that had been disrupted. This blog post provides an overview of the ransomware landscape and common tactics, techniques, and procedures (TTPs) directly observed by Mandiant in 2023 ransomware incidents. Our analysis of TTPs relies primarily on data from Mandiant incident response engagements and therefore represe |
Ransomware Data Breach Spam Malware Tool Vulnerability Threat Legislation Prediction Medical Cloud Commercial | ★★★ | |
|
2024-05-22 14:00:00 | Extinction de l'IOC?Les acteurs de cyber-espionnage de Chine-Nexus utilisent des réseaux orbes pour augmenter les coûts des défenseurs IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders (lien direct) |
Written by: Michael Raggi
Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities. These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks. Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp |
Malware Tool Vulnerability Threat Prediction Cloud Commercial | APT 15 APT 5 APT 31 | ★★★ |
|
2024-05-21 14:00:00 | Trous dans votre bitbucket: pourquoi votre pipeline CI / CD fuit des secrets Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets (lien direct) |
Written by: Mark Swindle
While investigating recent exposures of Amazon Web Services (AWS) secrets, Mandiant identified a scenario in which client-specific secrets have been leaked from Atlassian\'s code repository tool, Bitbucket, and leveraged by threat actors to gain unauthorized access to AWS. This blog post illustrates how Bitbucket Secured Variables can be leaked in your pipeline and expose you to security breaches. Background Bitbucket is a code hosting platform provided by Atlassian and is equipped with a built-in continuous integration and continuous delivery/deployment (CI/CD) service called Bitbucket Pipelines. Bitbucket Pipelines can be used to execute CI/CD use cases like deploying and maintaining resources in AWS. Bitbucket includes an administrative function called "Secured Variables" that allows administrators to store CI/CD secrets, such as AWS keys, directly in Bitbucket for easy reference by code libraries. CI/CD Secrets: CI/CD Secrets serve as the authentication and authorization backbone within CI/CD pipelines. They provide the credentials required for pipelines to interact with platforms like AWS, ensuring pipelines possess the appropriate permissions for their tasks. Secrets are often extremely powerful and are beloved by attackers because they present an opportunity for direct, unabated access to an environment. Maintaining confidentiality of secrets while balancing ease of use by developers is a constant struggle in securing CI/CD pipelines. Bitbucket Secured Variables: Bitbucket provides a way to store variables so developers can quickly reference them when writing code. Additionally, Bitbucket offers an option to declare a variable as a "secured variable" for any data that is sensitive. A secured variable is designed such that, once its value is set by an administrator, it can no longer be read in plain text. This structure allows developers to make quick calls to secret variables without exposing their values anywhere in Bitbucket. Unless… Exporting Secrets from Bitbucket in Plain Text CI/CD pipelines are designed just like the plumbing in your house. Pipes, valves, and regulators all work in unison to provide you with reliable, running water. CI/CD pipelines are a complicated orchestration of events to accomplish a specific task. In order to accomplish this, these pipelines are highly proficient at packaging and deploying large volumes of data completely autonomously. As a developer, this creates countless possibilities for automating work, but, as a security professional, it can be a cause for anxiety and heartburn. Perhaps it\'s a line of code with a hardcoded secret sneaking into production. Maybe it\'s a developer accidentally storing secrets locally on their machine. Or maybe, as we have seen in recent investigations, it\'s a Bitbucket artifact object containing secrets for an AWS environment being published to publicly available locations like S3 Buckets or company websites. Bitbucket secured variables are a convenient way to store secrets locally in Bitbucket for quick reference by developers; however, they come with one concerning characteristic-they can be exposed in plain text through artifact objects. If a Bitbucket variable-secured or not secured-is copied to an artifact object using the artifacts: command, the result will generate a .txt file with |
Tool Threat Studies | ★★★ | |
|
2024-05-01 14:00:00 | Uncharmed: Untangling Iran\'s APT42 Operations (lien direct) | Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery
APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 ( |
Malware Tool Threat Cloud | Yahoo APT 35 APT 42 | ★★ |
|
2024-04-30 14:00:00 | Protection des ransomwares et stratégies de confinement: conseils pratiques pour le durcissement et la protection des infrastructures, des identités et des points de terminaison Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints (lien direct) |
Written by: Matthew McWhirt, Omar ElAhdan, Glenn Staniforth, Brian Meyer
Multi-faceted extortion via ransomware and/or data theft is a popular end goal for attackers, representing a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization, including the loss of access to data, systems, and prolonged operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming.Since the initial launch of our report in 2019, data theft and ransomware deployment tactics have continued to evolve and escalate. This evolution marks a shift from manual or script-based ransomware deployment to sophisticated, large-scale operations, including:
Weaponizing Trusted Service Infrastructure (TSI): Adversaries are increasingly abusing legitimate infrastructure and security tools (TSI) to rapidly propagate malware or ransomware across entire networks.
Targeting Virtualization Platforms: Attackers are actively focusing on the virtualization layer, aiming to mass-encrypt virtual machines (VMs) and other critical systems at scale.
Targeting Backup Data / Platforms: Threat actors are exploiting misconfigurations or security gaps in backup systems to either erase or corrupt data backups, severely hindering recovery efforts.
Based upon these newer techniques, it is critical that organizations identify the span of the attack surface, and align proper security controls and visibility that includes coverage for protecting:
Identities
Endpoints
Network Architectures
Remote Access Platforms
Trusted Service Infrastructure (TSI)
Cascading weaknesses across these layers create opportunities for attackers to breach an organization\'s perimeter, gain initial access, and maintain a persistent foothold within the compromised network.
In our updated report, |
Ransomware Malware Tool Threat | ★★★ | |
|
2024-04-29 14:00:00 | De l'assistant à l'analyste: la puissance de Gemini 1.5 Pro pour l'analyse des logiciels malveillants From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis (lien direct) |
Executive Summary A growing amount of malware has naturally increased workloads for defenders and particularly malware analysts, creating a need for improved automation and approaches to dealing with this classic threat. With the recent rise in generative AI tools, we decided to put our own Gemini 1.5 Pro to the test to see how it performed at analyzing malware. By providing code and using a simple prompt, we asked Gemini 1.5 Pro to determine if the file was malicious, and also to provide a list of activities and indicators of compromise. We did this for multiple malware files, testing with both decompiled and disassembled code, and Gemini 1.5 Pro was notably accurate each time, generating summary reports in human-readable language. Gemini 1.5 Pro was even able to make an accurate determination of code that - at the time - was receiving zero detections on VirusTotal. In our testing with other similar gen AI tools, we were required to divide the code into chunks, which led to vague and non-specific outcomes, and affected the overall analysis. Gemini 1.5 Pro, however, processed the entire code in a single pass, and often in about 30 to 40 seconds. Introduction The explosive growth of malware continues to challenge traditional, manual analysis methods, underscoring the urgent need for improved automation and innovative approaches. Generative AI models have become invaluable in some aspects of malware analysis, yet their effectiveness in handling large and complex malware samples has been limited. The introduction of Gemini 1.5 Pro, capable of processing up to 1 million tokens, marks a significant breakthrough. This advancement not only empowers AI to function as a powerful assistant in automating the malware analysis workflow but also significantly scales up the automation of code analysis. By substantially increasing the processing capacity, Gemini 1.5 Pro paves the way for a more adaptive and robust approach to cybersecurity, helping analysts manage the asymmetric volume of threats more effectively and efficiently. Traditional Techniques for Automated Malware Analysis The foundation of automated malware analysis is built on a combination of static and dynamic analysis techniques, both of which play crucial roles in dissecting and understanding malware behavior. Static analysis involves examining the malware without executing it, providing insights into its code structure and unobfuscated logic. Dynamic analysis, on the other hand, involves observing the execution of the malware in a controlled environment to monitor its behavior, regardless of obfuscation. Together, these techniques are leveraged to gain a comprehensive understanding of malware. Parallel to these techniques, AI and machine learning (ML) have increasingly been employed to classify and cluster malware based on behavioral patterns, signatures, and anomalies. These methodologies have ranged from supervised learning, where models are trained on labeled datasets, to unsupervised learning for clustering, which identifies patterns without predefined labels to group similar malware. | Malware Hack Tool Vulnerability Threat Studies Prediction Cloud Conference | Wannacry | ★★★ |
|
2024-04-25 10:00:00 | Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct) |
Written by: Kelli Vanderlee, Jamie Collier
Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. |
Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical | APT 40 APT 29 APT 28 APT 43 APT 31 APT 42 | ★★★ |
|
2024-04-23 12:00:00 | M-Trends 2024: Notre vue depuis les fronts M-Trends 2024: Our View from the Frontlines (lien direct) |
Attackers are taking greater strides to evade detection. This is one of the running themes in our latest release: M-Trends 2024. This edition of our annual report continues our tradition of providing relevant attacker and defender metrics, and insights into the latest attacker tactics, techniques and procedures, along with guidance and best practices on how organizations and defenders should be responding to threats.
This year\'s M-Trends report covers Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023 and December 31, 2023. During that time, many of our observations demonstrate a more concerted effort by attackers to evade detection, and remain undetected on systems for longer periods of time:
Increased targeting of edge devices, and platforms that traditionally lack endpoint detection and response solutions.
A more than 50% growth in zero-day usage over the same reporting period in 2022, both by espionage groups as well as financially-motivated attackers.
More “living off the land,” or use of legitimate, pre-installed tools and software within an environment.
Despite the increased focus on evasion by attackers, we are pleased to report that defenders are generally continuing to improve at detecting threats. Dwell time represents the period an attacker is on a system from compromise to detection, and in 2023 the global median dwell time is now 10 days, down from 16 days in 2022. While various factors (such as ransomware) help drive down dwell time, it\'s still a big win for defenders. We can\'t let up, however. Mandiant red teams need only five to seven days on average to achieve their objectives, so organizations must remain vigilant. Other M-Trends 2024 metrics include:
54% of organizations first learned of a compromise from an external source (down from 63% in 2022), while 46% first identified evidence of a compromise internally.
Our engagements most frequently occurred at financial services organizations (17.3%), business and professional services (13.3%), high tech (12.4%), retail and hospitality (8.6%), healthcare (8.1%), and government (8.1%).
The most common initial infection vectors were exploits (38%), phishing (17%), prior compromise (15%), and stolen credentials (10%).
Additional topics covered in detail in M-Trends 2024 include Chinese espionage operations targeting the visibility gap, the evolution of phishing amid shifting security controls, the use of adversary-in-the-middle to overcome multi-factor authentication, cloud intrusion trends, an |
Tool Vulnerability Threat Medical Cloud | ★★★★ | |
|
2024-04-17 10:00:00 | Unearthing APT44: Russia\'s Notorious Cyber Sabotage Unit Sandworm (lien direct) | Written by: Gabby Roncone, Dan Black, John Wolfram, Tyler McLellan, Nick Simonian, Ryan Hall, Anton Prokopenkov, Luke Jenkins, Dan Perez, Lexie Aytes, Alden Wahlstrom
With Russia\'s full-scale invasion in its third year, Sandworm (aka FROZENBARENTS) remains a formidable threat to Ukraine. The group\'s operations in support of Moscow\'s war aims have proven tactically and operationally adaptable, and as of today, appear to be better integrated with the activities of Russia\'s conventional forces than in any other previous phase of the conflict. To date, no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia\'s military campaign. Yet the threat posed by Sandworm is far from limited to Ukraine. Mandiant continues to see operations from the group that are global in scope in key political, military, and economic hotspots for Russia. Additionally, with a record number of people participating in national elections in 2024, Sandworm\'s history of attempting to interfere in democratic processes further elevates the severity of the threat the group may pose in the near-term. Given the active and diffuse nature of the threat posed by Sandworm globally, Mandiant has decided to graduate the group into a named Advanced Persistent Threat: APT44. As part of this process, we are releasing a report, “APT44: Unearthing Sandworm”, that provides additional insights into the group\'s new operations, retrospective insights, and context on how the group is adjusting to support Moscow\'s war aims. Key Findings Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations. While most state-backed threat groups tend to specialize in a specific mission such as collecting intelligence, sabotaging networks, or conducting information operations, APT44 stands apart in how it has honed each of these capabilities and sought to integrate them into a unified playbook over time. Each of these respective components, and APT44\'s efforts to blend them for combined effect, are foundational to Russia\'s guiding “information confrontation” concept for cyber warfare. 
Figure 1: APT44\'s spectrum of operations
APT44 has aggressively pursued a multi- |
Malware Tool Threat Mobile Cloud | NotPetya | ★★ |
|
2024-04-04 14:00:00 | Cutting avant, partie 4: Ivanti Connect Secure VPN Post-Exploitation Mouvement latéral Études de cas Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies (lien direct) |
Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan
Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant\'s previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325. This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied. Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we\'ve seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives. As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti\'s latest patching guidance and instructions to prevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening guide |
Malware Tool Vulnerability Threat Studies Mobile Cloud | Guam | ★★★ |
|
2024-03-28 11:00:00 | La vie après la mort?Les campagnes de l'IO liées à un homme d'affaires russe notoire Prigozhin persiste après sa chute politique et sa mort Life After Death? IO Campaigns Linked to Notorious Russian Businessman Prigozhin Persist After His Political Downfall and Death (lien direct) |
Written by: Alden Wahlstrom, David Mainor, Daniel Kapellmann Zafra
In June 2023, Russian businessman Yevgeniy Prigozhin and his private military company (PMC) “Wagner” carried out an armed mutiny within Russia. The events triggered the meteoric political downfall of Prigozhin, raising questions about the future of his various enterprises that were only underscored when he died two months later under suspicious circumstances. Up to that point, Prigozhin and his enterprises worked to advance the Kremlin\'s interests as the manifestation of the thinnest veil of plausible deniability for state-guided actions on multiple continents. Such enterprises included the Wagner PMC; overt influence infrastructure, like his media company Patriot Group that housed his media companies, including the “RIA FAN” Federal News Agency; covert influence infrastructures; and an array of businesses aimed at generating personal wealth and the resourcing necessary to fund his various ventures. Mandiant has for years tracked and reported on covert information operations (IO) threat activity linked to Prigozhin. His involvement in IO was first widely established in the West as part of the public exposure of Russian-backed interference in the 2016 U.S. presidential election-this included activity conducted by Russia\'s Internet Research Agency (IRA), which the U.S. Government publicly named Prigozhin as its financier. Subsequently, Prigozhin was publicly connected to a web of IO activity targeting the U.S., EU, Ukraine, Russian domestic audiences, countries across Africa, and further afield. Such activity has worked not only to advance Russian interests on matters of strategic importance, but also has attempted to exploit existing divisions in societies targeting various subgroups across their population. Throughout 2023, Mandiant has observed shifts in the activity from multiple IO campaigns linked to Prigozhin, including continued indicators that components of these campaigns have remained viable since his death. This blog post examines a sample of Prigozhin-linked IO campaigns to better understand their outcomes thus far and provide an overview of what can be expected from these activity sets in the future. This is relevant not only because some of the infrastructure of these campaigns remains viable despite Prigozhin\'s undoing, but also because we advance into a year in which Ukraine continues to dominate Russia\'s strategic priorities and there are multiple global elections that Russia may seek to influence. Mandiant and Google\'s Threat Analysis Group (TAG) work together in support of our respective missions at Google. TAG has likewise been tracking coordinated influence operations linked to Prigozhin and the Internet Research Agency (IRA) for years; and in 2023, Google took over 400 enforcement actions to disrupt IO campaigns linked to the IRA, details of which are reported in the quarterly TAG Bulletin. TAG has not observed significant activity from the IRA or other Prigozhin-linked entities specifically on Google platforms since Prigozhin\'s death, |
Threat Studies Legislation Prediction | ★★★ | |
|
2024-03-26 22:00:00 | Tendances les jours zéro exploités dans le monde en 2023 Trends on Zero-Days Exploited In-the-Wild in 2023 (lien direct) |
Written by: Maddie Stone, Jared Semrau, James Sadowski
Combined data from Google\'s Threat Analysis Group (TAG) and Mandiant shows 97 zero-day vulnerabilities were exploited in 2023; a big increase over the 62 zero-day vulnerabilities identified in 2022, but still less than 2021\'s peak of 106 zero-days. This finding comes from the first-ever joint zero-day report by TAG and Mandiant. The report highlights 2023 zero-day trends, with focus on two main categories of vulnerabilities. The first is end user platforms and products such as mobile devices, operating systems, browsers, and other applications. The second is enterprise-focused technologies such as security software and appliances. Key zero-day findings from the report include: Vendors\' security investments are working, making certain attacks harder. Attacks increasingly target third-party components, affecting multiple products. Enterprise targeting is rising, with more focus on security software and appliances. Commercial surveillance vendors lead browser and mobile device exploits. People\'s Republic of China (PRC) remains the top state-backed exploiter of zero-days. Financially-motivated attacks proportionally decreased. Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don\'t expect this activity to decrease anytime soon. Progress is being made on all fronts, but zero-day vulnerabilities remain a major threat. A Look Back - 2023 Zero-Day Activity at a Glance Barracuda ESG: CVE-2023-2868 Barracuda disclosed in May 2023 that a zero-day vulnerability (CVE-2023-2868) in their Email Security Gateway (ESG) had been actively exploited since as early as October 2022. Mandiant investigated and determined that UNC4841, a suspected Chinese cyber espionage actor, was conducting attacks across multiple regions and sectors as part of an espionage campaign in support of the PRC. Mandiant released a blog post with findings from the initial investigation, a follow-up post with more details as the investigation continued |
Vulnerability Threat Mobile Cloud Technical | ★★ | |
|
2024-03-22 11:00:00 | APT29 utilise Wineloader pour cibler les partis politiques allemands APT29 Uses WINELOADER to Target German Political Parties (lien direct) |
Résumé exécutif fin février, l'APT29 a utilisé une nouvelle variante de porte dérobée suivie publiquement comme wineloader pour cibler les fêtes politiques allemandes avecun leurre sur le thème de la CDU. & nbsp; & nbsp; C'est la première fois que nous voyons ce cluster APT29 cible des partis politiques, indiquant une zone émergente émergenteFocus opérationnel au-delà du ciblage typique des missions diplomatiques. basée sur la responsabilité du SVR \\ de collecter l'intelligence politique et cette cluster APT29 \\ 'sModèles de ciblage historiques, nous jugeons cette activité pour présenter une large menace pour les partis politiques européens et autres occidentaux de tous les politiques
Executive SummaryIn late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political |
Threat | APT 29 | ★★ |
|
2024-03-22 00:00:00 | APT29 Uses WINELOADER to Target German Political Parties (lien direct) | Written by: Luke Jenkins, Dan Black
Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. Please see the Technical Annex for technical details and MITRE ATT&CK techniques, (T1543.003, T1012, T1082, T1134, T1057, T1007, T1027, T1070.004, T1055.003 and T1083) Threat Detail In late February 2024, Mandiant identified APT29 - a Russian Federation backed threat group linked by multiple governments to Russia\'s Foreign Intelligence Service (SVR) - conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29\'s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor variant publicly tracked as WINELOADER. Notably, this activity represents a departure from this APT29 initial access cluster\'s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster. Additionally, while APT29 has previously used lure documents bearing the logo of German government organizations, this is the first instance where we have seen the group use German-language lure content - a possible artifact of the targeting differences (i.e. domestic vs. foreign) between the two operations. Phishing emails were sent to victims purporting to be an invite to a dinner reception on 01 March bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany (see Figure 1). The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website “https://waterforvoiceless[.]org/invite.php”. ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”. WINELOADER was first observed in operational use in late January 2024 in an operation targeting likely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru. The backdoor contains several features and functions that overlap with several known APT29 malware families including BURNTBATTER, MUSKYBEAT and BEATDROP, indicating they are likely created by a common developer (see Technical Annex for additional details). |
Malware Threat Cloud Technical | APT 29 | ★★★ |
|
2024-03-21 09:00:00 | Rendre l'accès - Les courtiers d'accès initiaux exploitent F5 Big-IP (CVE-2023-46747) et ScreenConnect Bringing Access Back - Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect (lien direct) |
Au cours d'une enquête d'intrusion fin octobre 2023, Mandiant a observé une nouvelle exploitation n-day de & nbsp; CVE-2023-46747 Interface utilisateur de gestion du trafic Big-IP F5.De plus, en février 2024, nous avons observé l'exploitation de ConnectWise Screenconnect CVE-2024-1709 par le même acteur.Ce mélange d'outillage personnalisé et du cadre SuperShell exploité dans ces incidents est évalué avec une confiance modérée pour être unique pour une menace de la République de Chine (PRC), unc5174. Mandiant évalue UNC5174 (censé utiliser le personnage "Uteus") est un ancien membre de la Chine
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People\'s Republic of China (PRC) threat actor, UNC5174.Mandiant assesses UNC5174 (believed to use the persona "Uteus") is a former member of Chinese |
Threat | ★★ | |
|
2024-03-21 00:00:00 | Bringing Access Back - Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect (lien direct) | Written by: Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People\'s Republic of China (PRC) threat actor, UNC5174. Mandiant assesses UNC5174 (believed to use the persona "Uteus") is a former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China\'s Ministry of State Security (MSS) focused on executing access operations. UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, UK government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation. In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada. Targeting and Timeline UNC5174 has been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and UK government organizations during October and November 2023, as well as in February 2024. The actor appears primarily focused on executing access operations. Mandiant observed UNC5174 exploiting various vulnerabilities during this time. ConnectWise ScreenConnect Vulnerability CVE-2024-1709 F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747 Atlassian Confluence CVE-2023-22518 Linux Kernel Exploit CVE-2022-0185 Zyxel Firewall OS Command Injection Vulnerability CVE-2022-30525 Investigations revealed several instances of UNC5174 infrastructure, exposing the attackers\' bash command history. This history detailed artifacts of extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions. Additionally, key strategic targets like think tanks in the U.S. and Taiwan were identified; however, Mandiant does not have significant evidence to determine successful exploitation of these targets. 
Figure 1: UNC5174 global targeting map
Initial Disclosure of CVE-2023-46747
On Oct. 25, 2023, Praetorian published an advisory and proof-of-concept (PoC) for a zero-day (0-day) vulnerabil |
Malware Tool Vulnerability Threat Cloud | ★★★ | |
|
2024-02-28 00:00:00 | Quand les chats volent: l'acteur de menace iranienne présumée UNC1549 cible les secteurs de l'aérospatiale et de la défense israéliens et du Moyen-Orient When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors (lien direct) |
Aujourd'hui, Mandiant publie un article de blog sur & nbsp; Activité d'espionnage Iran-Nexus présumée ciblant les industries aérospatiales, de l'aviation et de la défense au Moyen-Orient Des pays, dont Israël et les Émirats arabes unis (EAU) et potentiellement la Turquie, l'Inde et l'Albanie. & nbsp; mandiant attribue cette activité avec une confiance modéréeà l'acteur iranien UNC1549 , qui chevauche & nbsp; tortue -Un acteur de menace qui a été publiquement & nbsp; lié à & nbsp; Le Corps de la Garde révolutionnaire islamique de l'Iran \\ (IRGC) .Tortoirhesell a déjà tenté de compromettre les chaînes d'approvisionnement en ciblant les entrepreneurs de défense et il
Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania. Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell-a threat actor that has been publicly linked to Iran\'s Islamic Revolutionary Guard Corps (IRGC). Tortoiseshell has previously attempted to compromise supply chains by targeting defense contractors and IT |
Threat | ★★★ | |
|
2024-02-27 21:30:00 | Cutting avant, partie 3: Enquête sur Ivanti Connect Secure Secure VPN Exploitation et Tentatives de persistance Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts (lien direct) |
Les enquêtes de mandiant et ivanti \\ sur les larges et nbsp; Ivanti Exploitation zéro-jour se sont poursuivis à travers une variété de verticales de l'industrie, y compris le secteur de la base industrielle de la défense américaine.Après la publication initiale du 10 janvier 2024, Mandiant a observé des tentatives de masse pour exploiter ces vulnérabilités par un petit nombre d'acteurs de la menace de Chine-Nexus, et le développement d'un byligation d'exploitation de ciblage & nbsp; CVE-2024-21893 utilisé par & nbsp; unc5325 , que nous avons introduit dans notre & nbsp; " Cutting Edge, partie 2 "Blog Article . & nbsp; notamment, Mandiant a identifié unc5325 en utilisant une combinaison de vie-the-land (LOTL)
Mandiant and Ivanti\'s investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Following the initial publication on Jan. 10, 2024, Mandiant observed mass attempts to exploit these vulnerabilities by a small number of China-nexus threat actors, and development of a mitigation bypass exploit targeting CVE-2024-21893 used by UNC5325, which we introduced in our "Cutting Edge, Part 2" blog post. Notably, Mandiant has identified UNC5325 using a combination of living-off-the-land (LotL) |
Vulnerability Threat Industrial | ★★ | |
|
2024-02-21 00:00:00 | Dévoiler l'évaluation de l'échéance du programme d'intelligence de cyber-menace de Maniant Unveiling Mandiant\\'s Cyber Threat Intelligence Program Maturity Assessment (lien direct) |
Dans le cadre de l'engagement continu de Google Cloud \\ à améliorer l'état global de cybersécurité pour la société, Mandiant publie aujourd'hui publiquement un Discovery des capacités d'intelligence basées sur les web (ICD) pour aider les organisations commerciales et gouvernementales à évaluerLa maturité de leur programme d'intelligence cyber-menace (CTI).La CIM est conçue pour fournir aux praticiens de la cybersécurité et aux dirigeants du renseignement des menaces une estimation de la façon dont le programme CTI \\ de l'organisation crée un impact organisationnel positif et réduit le risque pour l'entreprise.La CIM joue un critique
As part of Google Cloud\'s continuing commitment to improving the overall state of cybersecurity for society, today Mandiant is publicly releasing a web-based Intelligence Capability Discovery (ICD) to help commercial and governmental organizations evaluate the maturity of their cyber threat intelligence (CTI) program. The ICD is designed to provide cyber security practitioners and threat intelligence leaders with an estimate of how effectively and efficiently the organization\'s CTI program is creating a positive organizational impact and reducing risk for the business. The ICD plays a critical |
Threat Cloud Commercial | ★★★ | |
|
2024-01-31 16:30:00 | Cutting Edge, partie 2: Enquêter Ivanti Connect Secure VPN Exploitation Zero-Day Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation (lien direct) |
Le 12 janvier 2024, Mandiant a publié un Article de blog Détaillant deux vulnérabilités à haut impact, CVE-2023-46805 et CVE-2024-21887 , affectant Ivanti Connect Secure VPN (CS, anciennement Secure Secure) et Ivanti Secure (Ps) Appareils.Le 31 janvier 2024, Ivanti divulgué Deux vulnérabilités supplémentaires ayant un impact sur les dispositifs CS et PS, CVE-2024-21888 et CVE-2024-21893. Les vulnérabilités permettent à un acteur de menace non authentifié d'exécuter des commandes arbitraires sur l'appareil avec des privilèges élevés.Comme indiqué précédemment, Mandiant a identifié l'exploitation zéro jour de ces vulnérabilités
On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and Ivanti Policy Secure (PS) appliances. On Jan. 31, 2024, Ivanti disclosed two additional vulnerabilities impacting CS and PS devices, CVE-2024-21888 and CVE-2024-21893.The vulnerabilities allow for an unauthenticated threat actor to execute arbitrary commands on the appliance with elevated privileges. As previously reported, Mandiant has identified zero-day exploitation of these vulnerabilities |
Vulnerability Threat | ★★ | |
|
2024-01-19 17:30:00 | Le groupe d'espionnage chinois UNC3886 a trouvé l'exploitation du CVE-2023-34048 depuis la fin 2021 Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 (lien direct) |
Bien que signalé et corrigé publiquement en octobre 2023, la sécurité des produits Mandiant et VMware a trouvé unc3886 , un groupe d'espionnage China-Nexus très avancé, a exploité CVE-2023-34048 jusqu'à la fin 2021. Ces résultats proviennent de la recherche continue de Maniant \\ de Les nouveaux chemins d'attaque utilisés par unc3886 , qui se concentre historiquement sur les technologies qui ne sont pas en mesure de les déployer par EDR.UNC3886 a une expérience en utilisant des vulnérabilités zéro-jours pour terminer leur mission sans être détectée, et ce dernier exemple démontre en outre leurs capacités. Lorsque vous couvrez
While publicly reported and patched in October 2023, Mandiant and VMware Product Security have found UNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as late 2021.These findings stem from Mandiant\'s continued research of the novel attack paths used by UNC3886, which historically focuses on technologies that are unable to have EDR deployed to them. UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities. When covering |
Vulnerability Threat | ★★★★ | |
|
2024-01-11 02:00:00 | Cutting avant: cibles présumées APT Ivanti Connect Secure VPN dans une nouvelle exploitation zéro-jour Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation (lien direct) |
Remarque: Il s'agit d'une campagne de développement sous analyse active de Mandiant et Ivanti.Nous continuerons à ajouter plus d'indicateurs, de détections et d'informations à ce billet de blog au besoin. le 10 janvier 2024, ivanti divulgué Deux vulnérabilités, CVE-2023-46805 et CVE-2024-21887 , impactant Ivanti Connect Secure VPN (" CS ", anciennement Secure Secure) et Ivanti Secure (" PS") appareils électroménagers.Une exploitation réussie pourrait entraîner un contournement d'authentification et une injection de commandement, entraînant un autre compromis en aval d'un réseau de victimes.Mandiant a identifié l'exploitation zéro-jour de ces vulnérabilités
Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed.On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities |
Vulnerability Threat | ★★★ | |
|
2023-12-14 21:00:00 | Le cyber-instantané du défenseur du défenseur, le numéro 5 - Insiders, applications et risque atténuant The Defender\\'s Advantage Cyber Snapshot, Issue 5 - Insiders, Applications, and Mitigating Risk (lien direct) |
Le rapport de cyber-instantan avant le défenseur \\ fournit un aperçu des sujets de cyber-défense d'une importance croissante en fonction des observations de première ligne mandiantes et des expériences du monde réel. La cinquième édition couvre un large éventail de sujets, y compris l'idéologie et le paysage des menaces d'initiés, des étapes critiques pour aider à atténuer votre cyber-risque, la croissance de la croissance deCiblage de l'industrie maritime, sécurisation de la cyber-défenses de votre application, et l'importance de la chasse aux menaces dirigée par le renseignement. Téléchargez l'avantage complet du Defender \\ du défenseur complet, le numéro 5 du rapport Pour en savoir plusÀ propos de ces cinq sujets chauds: compresseur
The Defender\'s Advantage Cyber Snapshot report provides insights into cyber defense topics of growing importance based on Mandiant frontline observations and real-world experiences. The fifth edition covers a wide range of topics, including the ideology and landscape of insider threats, critical steps to help mitigate your cyber risk, the growth of maritime industry targeting, securing your application\'s cyber defenses, and the importance of intelligence-led threat hunting.Download the full Defender\'s Advantage Cyber Snapshot, Issue 5 report to learn more about these five hot topics: Understan |
Threat | ★★ | |
|
2023-12-14 17:00:00 | Ouvrir une boîte de publicités Whoop: détecter et perturber une campagne de malvertisation distribuant des déambulations Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors (lien direct) |
Plus tôt cette année, l'équipe de chasse des menaces de défense gérée de Mandiant \\ a identifié une campagne de publicité malveillante («malvertisante») UNC2975 faisant la promotion de sites Web malveillants sur le thème des fonds non réclamés.Cette campagne remonte au moins le 19 juin 2023, et a abusé du trafic de moteurs de recherche et des publicités malveillantes à effet de levier pour affecter plusieurs organisations, ce qui a entraîné la livraison des délais de Danabot et Darkgate. La défense gérée a travaillé avec des pratiques avancées et avec l'équipe anti-Malvertising Google pour supprimer les publicités malveillantes de l'écosystème d'annonces, puis
Earlier this year, Mandiant\'s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign promoting malicious websites themed around unclaimed funds. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors.Managed Defense worked with Advanced Practices and with the Google Anti-Malvertising team to remove the malicious advertisements from the ads ecosystem, and subsequently |
Threat | ★★ | |
|
2023-11-30 17:00:00 | Amélioration des outils d'analyse des logiciels malveillants de Flare \\ à Google Summer of Code 2023 Improving FLARE\\'s Malware Analysis Tools at Google Summer of Code 2023 (lien direct) |
Cet été a marqué la première année de la première année de l'équipe Flare \\ à googleÉté du code (GSOC) .GSOC est un programme mondial de mentorat en ligne axé sur l'introduction de nouveaux contributeurs au développement de logiciels open source.Les contributeurs du GSOC travaillent avec des mentors pour réaliser des projets de plus de 12 semaines qui soutiennent les organisations open source.En 2023, Flare a été acceptée en GSOC et a eu le privilège de travailler avec quatre contributeurs. Flare est une équipe d'ingénieurs et de chercheurs insensés qui se spécialisent dans l'analyse des logiciels malveillants, Exploiter Analyse et formation de logiciels malveillants.Flare développe, maintient et publie divers ouverts
This summer marked the FLARE team\'s first year participating in Google Summer of Code (GSoC). GSoC is a global online mentoring program focused on introducing new contributors to open source software development. GSoC contributors work with mentors to complete 12+ week projects that support open source organizations. During 2023 FLARE was accepted into GSoC and had the privilege of working with four contributors.FLARE is a team of reverse engineers and researchers who specialize in malware analysis, exploit analysis, and malware training. FLARE develops, maintains, and publishes various open |
Malware Tool Threat | ★★★ | |
|
2023-11-16 18:00:00 | Menace d'initié: chasse et détection Insider Threat: Hunting and Detecting (lien direct) |
La menace d'initié est un défi à multiples facettes qui représente aujourd'hui un risque de cybersécurité significatif pour les organisations.Certains sont des initiés malveillants tels que les employés qui cherchent à voler des données ou à saboter l'organisation.Certains sont des initiés involontaires tels que des employés qui commettent des erreurs imprudents ou sont victimes de phisses. Si vous avez besoin d'un rafraîchissement sur les menaces d'initiés ou leur impact, veuillez vous référer à nos articles de blog précédents: menace d'initié: les dangers à l'intérieur menace d'initié: Études d'impact L'identification des menaces d'initié devient de plus en plus importante.Les initiés malveillants transportent souvent
The insider threat is a multifaceted challenge that represents a significant cybersecurity risk to organizations today. Some are malicious insiders such as employees looking to steal data or sabotage the organization. Some are unintentional insiders such as employees who make careless mistakes or fall victim to phishing attacks. If you need a refresher on what insider threats are or their impact, please refer to our previous blog posts:Insider Threat: The Dangers WithinInsider Threat: Impact StudiesIdentifying insider threats is becoming increasingly important. Malicious insiders often carry |
Threat | ★★★★ | |
|
2023-11-14 17:00:00 | Le processus CTI Hyperloop: une mise en œuvre pratique du cycle de vie du processus CTI The CTI Process Hyperloop: A Practical Implementation of the CTI Process Lifecycle (lien direct) |
Implémentation du cycle de vie du processus CTI en tant que Hyperloop Le cycle Hyperloop de renseignement est un modèle de mise en œuvre du cyber-menace Intelligence (CTI).Le cycle de vie est un processus bien établi décrivant la façon dont les produits d'intelligence sont motivés par la planification et la direction initialement, suivis des phases de collecte, de traitement, d'analyse, de production et de diffusion.La nature cyclique décrit comment les produits diffusés éclairent ensuite une nouvelle étape de planification et de direction d'un nouveau cycle. | Threat | ★★★★ | |
|
2023-11-09 15:00:00 | Le ver de sable perturbe le pouvoir en Ukraine en utilisant une nouvelle attaque contre la technologie opérationnelle Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology (lien direct) |
fin 2022, Mandiant a répondu à un incident de cyber-physique perturbateur dans lequel l'acteur de menace lié à la Russie a ciblé une organisation d'infrastructure critique ukrainienne.Cet incident était une cyberattaque multi-événements qui a exploité une nouvelle technique pour avoir un impact sur les systèmes de contrôle industriel (CI) / technologie opérationnelle (OT).L'acteur a d'abord utilisé le niveau OT vivant des techniques terrestres (LOTL) pour déclencher probablement les disjoncteurs de sous-station de la victime, provoquant une panne de courant imprévue qui coïncidait avec les frappes de missiles de masse sur les infrastructures critiques à travers l'Ukraine.Sandworm plus tard
In late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack that leveraged a novel technique for impacting industrial control systems (ICS) / operational technology (OT). The actor first used OT-level living off the land (LotL) techniques to likely trip the victim\'s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. Sandworm later |
Threat Industrial | APT 28 | ★★ |
|
2023-10-13 11:15:00 | Mises à jour des produits de renseignement Mandiant Threat pour octobre 2023 Mandiant Threat Intelligence Product Updates for October 2023 (lien direct) |
mandiantIntelligence de menace a ajouté un certain nombre de fonctionnalités et capacités nouvelles et mises à jour, qui sont désormais disponibles dans l'aperçu public ou la disponibilité générale.Ces nouvelles capacités vous aident à gagner du temps et à mieux comprendre les menaces vous ciblant.
Aperçu public
Surveillance des informations d'identification compromises: Surveillez vos informations d'identification compromises qui peuvent avoir fui sur la toile profonde et sombre.Les capacités de surveillance des informations d'identification compromises dans Surveillance des menaces numériques peut vous alerter automatiquement si des comptes liés à votre organisation - les deux employés interneset les clients - ont
Mandiant Threat Intelligence has added a number of new and updated features and capabilities, which are now available in public preview or general availability. These new capabilities help you save time and gain more insight into the threats targeting you. Public Preview Compromised credentials monitoring: Monitor your compromised credentials that may have leaked on the deep and dark web. The compromised credentials monitoring capabilities in Digital Threat Monitoring can automatically alert you if any accounts linked to your organization - both internal employees and customers - have |
Threat | ★★★ | |
|
2023-10-10 07:00:00 | Évalué la cyber-structure et les alignements de la Corée du Nord en 2023 Assessed Cyber Structure and Alignments of North Korea in 2023 (lien direct) |
résumé exécutif
Le programme offensif de DPRK \\ continue d'évoluer, montrant que le régime est déterminé à continuer à utiliser des cyber-intrusions pour mener les deuxEspionage et crime financier pour projeter le pouvoir et financer à la fois leurs capacités cyber et cinétiques.
Les dernières opérations de Nexus DPRK font allusion à une augmentation de l'adaptabilité et de la complexité, y compris une attaque de chaîne d'approvisionnement en cascade vue pour la première fois, et ciblant régulièrementBlockchain et fintech verticals.
Alors que différents groupes de menaces partagent des outils et du code, l'activité de menace nord-coréenne continue de s'adapter et de changer
Executive Summary The DPRK\'s offensive program continues to evolve, showing that the regime is determined to continue using cyber intrusions to conduct both espionage and financial crime to project power and to finance both their cyber and kinetic capabilities. Latest DPRK nexus operations hint at an increase in adaptability and complexity, including a cascading software supply chain attack seen for the first time, and consistently targeting blockchain and fintech verticals. While different threat groups share tooling and code, North Korean threat activity continues to adapt and change |
Threat | ★★★ | |
|
2023-09-14 17:00:00 | Pourquoi tu m'envoyez un texto?UNC3944 tire parti des campagnes de phishing SMS pour l'échange de SIM, les ransomwares, l'extorsion et la notoriété Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety (lien direct) |
unc3944 est un cluster de menace motivé financièrement qui a utilisé de manière persistante Génie social basé sur téléphone et les campagnes de phishing SMS (SMSHing) pour obtenir des informations d'identification pour gagner et augmenter l'accès aux organisations victimes.Au moins, certains acteurs de la menace UNC3944 semblent opérer dans des communautés souterraines, telles que Telegram et Forums Underground, qu'ils peuvent exploiter pour acquérir des outils, des services et / ou d'autres soutiens pour augmenter leurs opérations.Cette activité chevauche une activité qui a été rapportée dans des sources ouvertes comme " 0ktapus , "" disperser les porcs , "et" Araignée dispersée . "Depuis 2022 et via
UNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smshing) to obtain credentials to gain and escalate access to victim organizations. At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations. This activity overlaps with activity that has been reported in open sources as "0ktapus," "Scatter Swine," and "Scattered Spider." Since 2022 and through |
Threat | ★★ | |
|
2023-08-30 09:30:00 | Revisiter des conseils de sécurité traditionnels pour les menaces modernes Revisiting Traditional Security Advice for Modern Threats (lien direct) |
Les attaques modernes ciblant les chaînes d'approvisionnement, en utilisant des exploits zéro-jour et en exploitant les vulnérabilités dans les appareils de sécurité ont inondé les salles de rédaction, les salles de conférence et la menacerapporte ces derniers mois.Certains exemples ont été uniques et intéressants, y compris le 3cx Compromis de chaîne d'approvisionnement du logiciel lié aux compromis de la chaîne d'approvisionnement du logiciel des technologies de trading, et le Compromis de chaîne d'approvisionnement de JumpCloud qui a été rendu possible par une campagne sophistiquée de phishing de lance.D'autres exemples ont été légèrement plus traditionnels, comme l'exploitation de Vulnérabilités dans les appareils de sécurité tels quecomme
Modern attacks targeting supply chains, using zero-day exploits, and exploiting vulnerabilities in security appliances have been flooding newsrooms, boardrooms and threat reports in recent months. Some examples have been unique and interesting, including the 3CX software supply chain compromise linked to Trading Technologies software supply chain compromise, and the supply chain compromise of JumpCloud that was made possible by a sophisticated spear phishing campaign. Other examples have been slightly more traditional, such as exploitation of vulnerabilities in security appliances such as |
Vulnerability Threat | ★★★ | |
|
2023-08-29 07:00:00 | Plongée profondément dans les opérations UNC4841 après la correction de Barracuda ESG (CVE-2023-2868) Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) (lien direct) |
Le 15 juin 2023, mandiant libéré un article de blog détaillant un espionnage global de 8 mois Un4841 .Dans cet article de blog de suivi, nous détaillerons des tactiques, des techniques et des procédures supplémentaires (TTP) employés par UNC4841 qui ont depuis été découverts par le biais des engagements de réponse aux incidents de Mandiant, ainsi que par des efforts de collaboration avec les réseaux de Barracuda et notrePartenaires du gouvernement international.
Au cours de cet article de blog, Mandiant détaillera comment UNC4841 a continué à montrer la sophistication et l'adaptabilité dans
On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we will detail additional tactics, techniques, and procedures (TTPs) employed by UNC4841 that have since been uncovered through Mandiant\'s incident response engagements, as well as through collaborative efforts with Barracuda Networks and our International Government partners. Over the course of this blog post, Mandiant will detail how UNC4841 has continued to show sophistication and adaptability in |
Threat | ★★★ | |
|
2023-08-24 09:00:00 | L'IA et les cinq phases du cycle de vie de l'intelligence des menaces AI and the Five Phases of the Threat Intelligence Lifecycle (lien direct) |
L'intelligence artificielle (IA) et les modèles de grandes langues (LLM) peuvent aider les équipes de renseignement à détecter et à comprendre les nouvelles menaces à grande échelle,Réduisez le labeur induisant l'épuisement professionnel et développez leur talent existant en démocratisant l'accès à l'expertise en la matière.Cependant, un large accès aux données fondamentales de l'intelligence open source (OSINT) et aux technologies AI / ML a rapidement conduit à une quantité écrasante de bruit pour les utilisateurs.Mandiant, en revanche, adopte une approche plus nuancée pour fusionner l'expertise de pointe, des sources de données propriétaires uniques et une ML de pointe pour permettre à un >
Artificial intelligence (AI) and large language models (LLMs) can help threat intelligence teams to detect and understand novel threats at scale, reduce burnout-inducing toil, and grow their existing talent by democratizing access to subject matter expertise. However, broad access to foundational Open Source Intelligence (OSINT) data and AI/ML technologies has quickly led to an overwhelming amount of noise for users to sift through. Mandiant, by contrast, takes a more nuanced approach to fuse industry-leading expertise, unique proprietary data sources, and cutting-edge ML to enable a holistic |
Threat | ★★★★ | |
|
2023-08-17 07:00:00 | Les acteurs de la menace sont intéressés par une IA générative, mais l'utilisation reste limitée Threat Actors are Interested in Generative AI, but Use Remains Limited (lien direct) |
Depuis au moins 2019, Mandiant a suivi l'intérêt des acteurs de la menace et des capacités d'IA pour faciliter une variété d'activités malveillantes.Sur la base de nos propres observations et comptes open source, l'adoption de l'IA dans les opérations d'intrusion reste limitée et principalement liée à l'ingénierie sociale.
En revanche, les acteurs des opérations de l'information de diverses motivations et capacités ont de plus en plus exploité le contenu généré par l'IA, en particulier l'imagerie et la vidéo, dans leurs campagnes, probablementDû au moins en partie aux applications facilement apparentes de ces fabrications dans la désinformation
Since at least 2019, Mandiant has tracked threat actor interest in, and use of, AI capabilities to facilitate a variety of malicious activity. Based on our own observations and open source accounts, adoption of AI in intrusion operations remains limited and primarily related to social engineering. In contrast, information operations actors of diverse motivations and capabilities have increasingly leveraged AI-generated content, particularly imagery and video, in their campaigns, likely due at least in part to the readily apparent applications of such fabrications in disinformation |
Threat | ★★★ | |
|
2023-08-14 14:30:00 | Indicateurs du scanner de compromis pour Citrix ADC Zero-Day (CVE-2023-3519) Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) (lien direct) |
mandiant a récemment publié un Article de blog sur le compromis de Citrix NetScaler Delivery Controller (ADC) et des appareils de passerelle NetScaler liés à la vulnérabilité du jour zéro suivi sous le nom de cve-2023-3519 .Le CVE-2023-3519 est une vulnérabilité zéro-jour qui peut permettre l'exécution du code distant, et a été observé exploité dans la nature par un acteur de menace cohérent avec une Chine-Nexus basée sur des capacités connues et une histoire de ciblage des ADC Citrix.Récemment, la preuve de concepts pour exploiter cette vulnérabilité a été publiquement posté .
Aujourd'hui, nous publions un outil pour aider
Mandiant recently published a blog post about the compromise of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Appliances related to the zero-day vulnerability tracked as CVE-2023-3519. CVE-2023-3519 is a zero-day vulnerability that can enable remote code execution, and has been observed being exploited in the wild by a threat actor consistent with a China-nexus based on known capabilities and history of targeting Citrix ADCs. Recently, proof-of-concepts to exploit this vulnerability have been publicly posted. Today we are releasing a tool to help |
Tool Vulnerability Threat | ★★★ | |
|
2023-08-03 11:30:00 | Le rapport sur les horizons de menace d'août 2023 fournit des informations et des recommandations axées sur la cybersécurité axées August 2023 Threat Horizons Report Provides Cloud-Focused Cybersecurity Insights and Recommendations (lien direct) |
Le rapport Google Cloud Keners Horizons a été lancé pour la première fois en novembre 2021 dans le but ultime de fournir aux décideurs de sécurité des informations stratégiques sur les menaces pour les utilisateurs des entreprises dans le cloud, ainsi que les données, les métriques, les tendances et les recherches supplémentaires sur le cloud.Peut-être plus important encore, le rapport visait à fournir des recommandations des équipes de renseignement et de sécurité de Google \\ pour aider les défenseurs à protéger, à détecter et à répondre aux derniers cloud et autres menaces.
Aujourd'hui marque la sortie de la septième édition de notre publication trimestrielle, août 2023 Rapport des horizons de menace , Et notre
The Google Cloud Threat Horizons Report first launched in November 2021 with the ultimate goal of providing security decision-makers with strategic intelligence about threats to cloud enterprise users, along with data, metrics, trends, and additional cloud research. Perhaps most importantly, the report aimed to provide recommendations from Google\'s intelligence and security teams to help defenders protect against, detect, and respond to the latest cloud and other threats. Today marks the release of the seventh edition of our quarterly publication, August 2023 Threat Horizons Report, and our |
Threat Cloud | ★★★ | |
|
2023-08-03 09:30:00 | Google a nommé un leader du service de renseignement des menaces externes Forrester Wave ™ Google Named a Leader in the External Threat Intelligence Service Forrester Wave™ (lien direct) |
 google a été nommé leader dans The Forrester Wave ™: External Threat Intelligence Service Providers, Q3 2023 .Forrester a identifié 12 grandes entreprises dans l'espace de renseignement des menaces et Google a reçu le score le plus élevé possible en 15 des 29 critères.
Le rapport Forrester indique: "Google est prêt à devenir le fournisseur de renseignement de menace le plus pertinent et le plus dominant."De plus, l'acquisition de Google \\ de Mandiant et la puissance des intégrations sont mentionnées dans le rapport: «Les offres mandiantes peuvent désormais tirer parti de la puissance, de l'échelle et de l'innovation de Google pour découvrir, personnaliser et
 Google was named a Leader in The Forrester Wave™: External Threat Intelligence Service Providers, Q3 2023. Forrester identified 12 top companies in the threat intelligence space and Google received the highest possible score in 15 out of the 29 criteria.
The Forrester report states, “Google is poised to become the most relevant and dominant threat intelligence provider.” Additionally, Google\'s acquisition of Mandiant and the power of the integrations are mentioned in the report, “The Mandiant offerings can now leverage the power, scale, and innovation of Google to discover, personalize, and |
Threat | ★★ | |
|
2023-08-02 09:00:00 | Silos transcendant: améliorer la collaboration entre l'intelligence des menaces et le cyber-risque Transcending Silos: Improving Collaboration Between Threat Intelligence and Cyber Risk (lien direct) |
Le renseignement des cyber-menaces (CTI) et la gestion des risques sont devenus des disciplines distinctes, mais ils partagent de nombreuses similitudes dans leur mission.Les deux approches éclairent la prise de décision en fournissant des informations de haute qualité sur les menaces et les risques les plus pertinents qui ont un impact sur les organisations.Bien que les équipes de risques et de CTI abordent ce défi à partir de différents points de vue, leur mission partagée sous-jacente crée des opportunités passionnantes de collaboration.La collaboration offre également une occasion sans frais de transformer le personnel sur des compétences complémentaires, augmentant la capacité existante pour aborder le plus grand inhibiteur
Cyber Threat Intelligence (CTI) and risk management have emerged as distinct disciplines, yet they share many similarities in their mission. Both approaches inform decision-making by providing high-quality insight on the most relevant threats and risks impacting organizations. Although risk and CTI teams approach this challenge from different vantage points, their underlying shared mission creates exciting opportunities for collaboration. Collaboration also provides a no-cost opportunity to cross-train staff on complementary skills, augmenting existing capacity to address the biggest inhibitor |
Threat | ★★★ | |
|
2023-07-21 16:00:00 | Exploitation de Citrix Zero-Day par d'éventuels acteurs d'espionnage (CVE-2023-3519) Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) (lien direct) |
Remarque: Il s'agit d'une campagne de développement sous analyse active.Nous continuerons d'ajouter plus d'indicateurs, de conseils de chasse et d'informations à cet article de blog au besoin.
Les périphériques de sécurité et de réseautage sont des "périphériques Edge", ce qui signifie qu'ils sont connectés à Internet.Si un attaquant réussit à exploiter une vulnérabilité sur ces appareils, il peut obtenir un accès initial sans interaction humaine, ce qui réduit les chances de détection.Tant que l'exploit reste inconnu, l'acteur de menace peut le réutiliser pour accéder à des victimes supplémentaires ou rétablir l'accès aux systèmes ciblés
Note: This is a developing campaign under active analysis. We will continue to add more indicators, hunting tips, and information to this blog post as needed. Security and networking devices are "edge devices," meaning they are connected to the internet. If an attacker is successful in exploiting a vulnerability on these appliances, they can gain initial access without human interaction, which reduces the chances of detection. As long as the exploit remains undiscovered, the threat actor can reuse it to gain access to additional victims or reestablish access to targeted systems |
Vulnerability Threat | ★★★ | |
|
2023-07-18 09:00:00 | Mode furtif: les acteurs chinois de cyber-espionnage continuent d'évoluer les tactiques pour éviter la détection Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection (lien direct) |
Mandiant Intelligence suit plusieurs façons dont l'activité de cyber-espionnage chinoise a de plus en plus profité des stratégies initiales d'accès et de post-compromis destinées à minimiser les opportunités de détection.Plus précisément, cette analyse met en évidence les groupes de menaces chinoises \\ 'Exploitation de zéro-jours dans les logiciels de sécurité, de réseautage et de virtualisation, et le ciblage des routeurs et d'autres méthodes pour relayer et déguiser le trafic d'attaquant à l'extérieur et à l'intérieur des réseaux de victimes.Nous évaluons avec une grande confiance que les groupes de cyber-espionnage chinois utilisent ces techniques pour éviter la détection et
Mandiant Intelligence is tracking several ways in which Chinese cyber espionage activity has increasingly leveraged initial access and post-compromise strategies intended to minimize opportunities for detection. Specifically, this analysis highlights Chinese threat groups\' exploitation of zero-days in security, networking, and virtualization software, and targeting of routers and other methods to relay and disguise attacker traffic both outside and inside victim networks. We assess with high confidence that Chinese cyber espionage groups are using these techniques to avoid detection and |
Threat | ★★★★ | |
|
2023-06-13 09:00:00 | VMware Esxi Zero-Day utilisé par l'acteur d'espionnage chinois pour effectuer des opérations invitées privilégiées sur des hyperviseurs compromis VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors (lien direct) |
nécessite l'accès à l'hyperviseur pour exploiter la vulnérabilité (par exempleGrâce aux informations d'identification ESXi volées)
En tant que solutions de détection et de réponse (EDR) (EDR) améliorer l'efficacité de détection de logiciels malveillants sur les systèmes Windows et Linux, certains acteurs de menace parrainés par l'État se sont déplacés vers le développementet déploiement de logiciels malveillants sur des systèmes qui ne prennent généralement pas en charge Edr tels que les appareils réseau, les tableaux SAN, etHôtes VMware ESXi.
À la fin de 2022, les détails publiés mandiant entourant un Nouveau système de logiciels malveillants Déploié par unc3886, un groupe de cyber-espionnage chinois, qui Impact hôtes VMware ESXi impactés ESXI Hosts ESXi impactés ESXi hôtes ESXi Hosts VMware ESXI Hosts VMware ESXI IACT., serveurs vCenter
Requires access to the hypervisor to exploit the vulnerability (e.g. through stolen ESXi credentials) As Endpoint Detection and Response (EDR) solutions improve malware detection efficacy on Windows and Linux systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi hosts. In late 2022, Mandiant published details surrounding a novel malware system deployed by UNC3886, a Chinese cyber espionage group, which impacted VMware ESXi hosts, vCenter servers |
Malware Vulnerability Threat | ★★★★ | |
|
2023-05-22 09:00:00 | Don \\ 't @ moi: l'obscurcissement de l'URL à travers les abus de schéma Don\\'t @ Me: URL Obfuscation Through Schema Abuse (lien direct) |
Une technique est utilisée dans la distribution de plusieurs familles de logiciels malveillants qui obscurcissent la destination finale d'une URL en abusant du schéma URL .Mandiant suit cette méthodologie adversaire en tant que " URL Schema Obfuscation ” . La technique pourrait augmenter la probabilité d'une attaque de phishing réussie, et pourrait provoquer des erreurs d'extraction de domaine dans l'exploitation forestière ou l'outillage de sécurité. Si un réseau défense le réseauL'outil s'appuie sur la connaissance du serveur qu'une URL pointe vers (par exemple, la vérification si un domaine est sur un flux Intel de menace), il pourrait potentiellement le contourner et provoquer des lacunes dans la visibilité et la couverture.
A technique is being used in the distribution of multiple families of malware that obfuscates the end destination of a URL by abusing the URL schema. Mandiant tracks this adversary methodology as "URL Schema Obfuscation”. The technique could increase the likelihood of a successful phishing attack, and could cause domain extraction errors in logging or security tooling. If a network defense tool is relying on knowing the server a URL is pointing to (e.g. checking if a domain is on a threat intel feed), it could potentially bypass it and cause gaps in visibility and coverage. Common URL parsing |
Malware Tool Threat | ★★★★ | |
|
2023-05-18 09:00:00 | Une approche axée sur les exigences de l'intelligence cyber-menace A Requirements-Driven Approach to Cyber Threat Intelligence (lien direct) |
Cyber Threat Intelligence (CTI) sert un objectif large: informer, conseiller et autonomiser les parties prenantes au sein d'une organisation.Les fonctions de CTI réussies mettent invariablement les exigences de renseignement des parties prenantes au cœur de leur énoncé de mission.Mais, toute équipe CTI peut et doit adopter une approche axée sur les exigences.
Dans notre rapport, Une approche axée sur les exigences de l'intelligence cyber-menace , nous décrivons ce que signifie être axé sur les exigences dans la pratique.Nous offrons des conseils exploitables sur la façon dont les fonctions d'intelligence peuvent implémenter et optimiser une telle approche au sein de leurs organisations.
met en œuvre
Cyber threat intelligence (CTI) serves a broad purpose: to inform, advise, and empower stakeholders within an organization. Successful CTI functions invariably put stakeholder intelligence requirements at the heart of their mission statement. But, any CTI team can and should adopt a requirements-focused approach. In our report, A Requirements-Driven Approach to Cyber Threat Intelligence, we outline what it means to be requirements-driven in practice. We offer actionable advice on how intelligence functions can implement and optimize such an approach within their organizations. Implemen |
Threat | ★★ | |
|
2023-05-04 09:30:00 | Nouvelles intégrations d'intelligence de menace mandiante pour MISP, Splunk Siem et Soar, et Cortex Xsoar par Palo Alto Networks New Mandiant Threat Intelligence Integrations for MISP, Splunk SIEM and SOAR, and Cortex XSOAR by Palo Alto Networks (lien direct) |
Les professionnels de la sécurité sont souvent submergés par le nombre de consoles de gestion ou de plates-formes dont ils ont besoin pour sauter un jour donné.L'automatisation et le partage d'informations sur les flux de travail existants peuvent décharger ces équipes en éliminant les tâches banales et en réduisant l'erreur humaine.
Les intégrations SaaS mandiant gagnent du temps et aident à rendre les équipes de sécurité plus proactives.L'API de renseignement Mandiant Threat permet aux équipes de sécurité d'intégrer Intelligence de menace mandiante Données directement dans leurs outils de sécurité et flux de travail existants.
dans le cadre de notre engagement en cours à aider les équipes de sécurité à travailler
Security professionals are often overwhelmed by the number of management consoles or platforms they need to jump between on any given day. Automating and sharing information into existing workflows can unburden these teams by eliminating mundane tasks and reducing human error. Mandiant SaaS integrations save time and help make security teams more proactive. The Mandiant Threat Intelligence API allows security teams to integrate Mandiant Threat Intelligence data directly into their existing security tools and workflows. As part of our ongoing commitment to helping security teams work |
Tool Threat Cloud | ★★ |
To see everything:
Our RSS (filtrered)
