What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-01 14:00:00 | Uncharmed: Untangling Iran\'s APT42 Operations (lien direct) | Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery
APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 ( |
Malware Tool Threat Cloud | Yahoo APT 35 APT 42 | ★★ |
|
2024-04-30 14:00:00 | Protection des ransomwares et stratégies de confinement: conseils pratiques pour le durcissement et la protection des infrastructures, des identités et des points de terminaison Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints (lien direct) |
Written by: Matthew McWhirt, Omar ElAhdan, Glenn Staniforth, Brian Meyer
Multi-faceted extortion via ransomware and/or data theft is a popular end goal for attackers, representing a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization, including the loss of access to data, systems, and prolonged operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming.Since the initial launch of our report in 2019, data theft and ransomware deployment tactics have continued to evolve and escalate. This evolution marks a shift from manual or script-based ransomware deployment to sophisticated, large-scale operations, including:
Weaponizing Trusted Service Infrastructure (TSI): Adversaries are increasingly abusing legitimate infrastructure and security tools (TSI) to rapidly propagate malware or ransomware across entire networks.
Targeting Virtualization Platforms: Attackers are actively focusing on the virtualization layer, aiming to mass-encrypt virtual machines (VMs) and other critical systems at scale.
Targeting Backup Data / Platforms: Threat actors are exploiting misconfigurations or security gaps in backup systems to either erase or corrupt data backups, severely hindering recovery efforts.
Based upon these newer techniques, it is critical that organizations identify the span of the attack surface, and align proper security controls and visibility that includes coverage for protecting:
Identities
Endpoints
Network Architectures
Remote Access Platforms
Trusted Service Infrastructure (TSI)
Cascading weaknesses across these layers create opportunities for attackers to breach an organization\'s perimeter, gain initial access, and maintain a persistent foothold within the compromised network.
In our updated report, |
Ransomware Malware Tool Threat | ★★★ | |
|
2024-04-29 14:00:00 | De l'assistant à l'analyste: la puissance de Gemini 1.5 Pro pour l'analyse des logiciels malveillants From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis (lien direct) |
Executive Summary A growing amount of malware has naturally increased workloads for defenders and particularly malware analysts, creating a need for improved automation and approaches to dealing with this classic threat. With the recent rise in generative AI tools, we decided to put our own Gemini 1.5 Pro to the test to see how it performed at analyzing malware. By providing code and using a simple prompt, we asked Gemini 1.5 Pro to determine if the file was malicious, and also to provide a list of activities and indicators of compromise. We did this for multiple malware files, testing with both decompiled and disassembled code, and Gemini 1.5 Pro was notably accurate each time, generating summary reports in human-readable language. Gemini 1.5 Pro was even able to make an accurate determination of code that - at the time - was receiving zero detections on VirusTotal. In our testing with other similar gen AI tools, we were required to divide the code into chunks, which led to vague and non-specific outcomes, and affected the overall analysis. Gemini 1.5 Pro, however, processed the entire code in a single pass, and often in about 30 to 40 seconds. Introduction The explosive growth of malware continues to challenge traditional, manual analysis methods, underscoring the urgent need for improved automation and innovative approaches. Generative AI models have become invaluable in some aspects of malware analysis, yet their effectiveness in handling large and complex malware samples has been limited. The introduction of Gemini 1.5 Pro, capable of processing up to 1 million tokens, marks a significant breakthrough. This advancement not only empowers AI to function as a powerful assistant in automating the malware analysis workflow but also significantly scales up the automation of code analysis. By substantially increasing the processing capacity, Gemini 1.5 Pro paves the way for a more adaptive and robust approach to cybersecurity, helping analysts manage the asymmetric volume of threats more effectively and efficiently. Traditional Techniques for Automated Malware Analysis The foundation of automated malware analysis is built on a combination of static and dynamic analysis techniques, both of which play crucial roles in dissecting and understanding malware behavior. Static analysis involves examining the malware without executing it, providing insights into its code structure and unobfuscated logic. Dynamic analysis, on the other hand, involves observing the execution of the malware in a controlled environment to monitor its behavior, regardless of obfuscation. Together, these techniques are leveraged to gain a comprehensive understanding of malware. Parallel to these techniques, AI and machine learning (ML) have increasingly been employed to classify and cluster malware based on behavioral patterns, signatures, and anomalies. These methodologies have ranged from supervised learning, where models are trained on labeled datasets, to unsupervised learning for clustering, which identifies patterns without predefined labels to group similar malware. | Malware Hack Tool Vulnerability Threat Studies Prediction Cloud Conference | Wannacry | ★★★ |
|
2024-04-25 10:00:00 | Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct) |
Written by: Kelli Vanderlee, Jamie Collier
Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. |
Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical | APT 40 APT 29 APT 28 APT 43 APT 31 APT 42 | ★★★ |
|
2024-04-23 12:00:00 | M-Trends 2024: Notre vue depuis les fronts M-Trends 2024: Our View from the Frontlines (lien direct) |
Attackers are taking greater strides to evade detection. This is one of the running themes in our latest release: M-Trends 2024. This edition of our annual report continues our tradition of providing relevant attacker and defender metrics, and insights into the latest attacker tactics, techniques and procedures, along with guidance and best practices on how organizations and defenders should be responding to threats.
This year\'s M-Trends report covers Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023 and December 31, 2023. During that time, many of our observations demonstrate a more concerted effort by attackers to evade detection, and remain undetected on systems for longer periods of time:
Increased targeting of edge devices, and platforms that traditionally lack endpoint detection and response solutions.
A more than 50% growth in zero-day usage over the same reporting period in 2022, both by espionage groups as well as financially-motivated attackers.
More “living off the land,” or use of legitimate, pre-installed tools and software within an environment.
Despite the increased focus on evasion by attackers, we are pleased to report that defenders are generally continuing to improve at detecting threats. Dwell time represents the period an attacker is on a system from compromise to detection, and in 2023 the global median dwell time is now 10 days, down from 16 days in 2022. While various factors (such as ransomware) help drive down dwell time, it\'s still a big win for defenders. We can\'t let up, however. Mandiant red teams need only five to seven days on average to achieve their objectives, so organizations must remain vigilant. Other M-Trends 2024 metrics include:
54% of organizations first learned of a compromise from an external source (down from 63% in 2022), while 46% first identified evidence of a compromise internally.
Our engagements most frequently occurred at financial services organizations (17.3%), business and professional services (13.3%), high tech (12.4%), retail and hospitality (8.6%), healthcare (8.1%), and government (8.1%).
The most common initial infection vectors were exploits (38%), phishing (17%), prior compromise (15%), and stolen credentials (10%).
Additional topics covered in detail in M-Trends 2024 include Chinese espionage operations targeting the visibility gap, the evolution of phishing amid shifting security controls, the use of adversary-in-the-middle to overcome multi-factor authentication, cloud intrusion trends, an |
Tool Vulnerability Threat Medical Cloud | ★★★★ | |
|
2024-04-17 10:00:00 | Unearthing APT44: Russia\'s Notorious Cyber Sabotage Unit Sandworm (lien direct) | Written by: Gabby Roncone, Dan Black, John Wolfram, Tyler McLellan, Nick Simonian, Ryan Hall, Anton Prokopenkov, Luke Jenkins, Dan Perez, Lexie Aytes, Alden Wahlstrom
With Russia\'s full-scale invasion in its third year, Sandworm (aka FROZENBARENTS) remains a formidable threat to Ukraine. The group\'s operations in support of Moscow\'s war aims have proven tactically and operationally adaptable, and as of today, appear to be better integrated with the activities of Russia\'s conventional forces than in any other previous phase of the conflict. To date, no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia\'s military campaign. Yet the threat posed by Sandworm is far from limited to Ukraine. Mandiant continues to see operations from the group that are global in scope in key political, military, and economic hotspots for Russia. Additionally, with a record number of people participating in national elections in 2024, Sandworm\'s history of attempting to interfere in democratic processes further elevates the severity of the threat the group may pose in the near-term. Given the active and diffuse nature of the threat posed by Sandworm globally, Mandiant has decided to graduate the group into a named Advanced Persistent Threat: APT44. As part of this process, we are releasing a report, “APT44: Unearthing Sandworm”, that provides additional insights into the group\'s new operations, retrospective insights, and context on how the group is adjusting to support Moscow\'s war aims. Key Findings Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations. While most state-backed threat groups tend to specialize in a specific mission such as collecting intelligence, sabotaging networks, or conducting information operations, APT44 stands apart in how it has honed each of these capabilities and sought to integrate them into a unified playbook over time. Each of these respective components, and APT44\'s efforts to blend them for combined effect, are foundational to Russia\'s guiding “information confrontation” concept for cyber warfare. 
Figure 1: APT44\'s spectrum of operations
APT44 has aggressively pursued a multi- |
Malware Tool Threat Mobile Cloud | NotPetya | ★★ |
|
2024-04-04 14:00:00 | Cutting avant, partie 4: Ivanti Connect Secure VPN Post-Exploitation Mouvement latéral Études de cas Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies (lien direct) |
Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan
Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant\'s previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325. This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied. Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we\'ve seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives. As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti\'s latest patching guidance and instructions to prevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening guide |
Malware Tool Vulnerability Threat Studies Mobile Cloud | Guam | ★★★ |
|
2024-03-28 11:00:00 | La vie après la mort?Les campagnes de l'IO liées à un homme d'affaires russe notoire Prigozhin persiste après sa chute politique et sa mort Life After Death? IO Campaigns Linked to Notorious Russian Businessman Prigozhin Persist After His Political Downfall and Death (lien direct) |
Written by: Alden Wahlstrom, David Mainor, Daniel Kapellmann Zafra
In June 2023, Russian businessman Yevgeniy Prigozhin and his private military company (PMC) “Wagner” carried out an armed mutiny within Russia. The events triggered the meteoric political downfall of Prigozhin, raising questions about the future of his various enterprises that were only underscored when he died two months later under suspicious circumstances. Up to that point, Prigozhin and his enterprises worked to advance the Kremlin\'s interests as the manifestation of the thinnest veil of plausible deniability for state-guided actions on multiple continents. Such enterprises included the Wagner PMC; overt influence infrastructure, like his media company Patriot Group that housed his media companies, including the “RIA FAN” Federal News Agency; covert influence infrastructures; and an array of businesses aimed at generating personal wealth and the resourcing necessary to fund his various ventures. Mandiant has for years tracked and reported on covert information operations (IO) threat activity linked to Prigozhin. His involvement in IO was first widely established in the West as part of the public exposure of Russian-backed interference in the 2016 U.S. presidential election-this included activity conducted by Russia\'s Internet Research Agency (IRA), which the U.S. Government publicly named Prigozhin as its financier. Subsequently, Prigozhin was publicly connected to a web of IO activity targeting the U.S., EU, Ukraine, Russian domestic audiences, countries across Africa, and further afield. Such activity has worked not only to advance Russian interests on matters of strategic importance, but also has attempted to exploit existing divisions in societies targeting various subgroups across their population. Throughout 2023, Mandiant has observed shifts in the activity from multiple IO campaigns linked to Prigozhin, including continued indicators that components of these campaigns have remained viable since his death. This blog post examines a sample of Prigozhin-linked IO campaigns to better understand their outcomes thus far and provide an overview of what can be expected from these activity sets in the future. This is relevant not only because some of the infrastructure of these campaigns remains viable despite Prigozhin\'s undoing, but also because we advance into a year in which Ukraine continues to dominate Russia\'s strategic priorities and there are multiple global elections that Russia may seek to influence. Mandiant and Google\'s Threat Analysis Group (TAG) work together in support of our respective missions at Google. TAG has likewise been tracking coordinated influence operations linked to Prigozhin and the Internet Research Agency (IRA) for years; and in 2023, Google took over 400 enforcement actions to disrupt IO campaigns linked to the IRA, details of which are reported in the quarterly TAG Bulletin. TAG has not observed significant activity from the IRA or other Prigozhin-linked entities specifically on Google platforms since Prigozhin\'s death, |
Threat Studies Legislation Prediction | ★★★ | |
|
2024-03-26 22:00:00 | Tendances les jours zéro exploités dans le monde en 2023 Trends on Zero-Days Exploited In-the-Wild in 2023 (lien direct) |
Written by: Maddie Stone, Jared Semrau, James Sadowski
Combined data from Google\'s Threat Analysis Group (TAG) and Mandiant shows 97 zero-day vulnerabilities were exploited in 2023; a big increase over the 62 zero-day vulnerabilities identified in 2022, but still less than 2021\'s peak of 106 zero-days. This finding comes from the first-ever joint zero-day report by TAG and Mandiant. The report highlights 2023 zero-day trends, with focus on two main categories of vulnerabilities. The first is end user platforms and products such as mobile devices, operating systems, browsers, and other applications. The second is enterprise-focused technologies such as security software and appliances. Key zero-day findings from the report include: Vendors\' security investments are working, making certain attacks harder. Attacks increasingly target third-party components, affecting multiple products. Enterprise targeting is rising, with more focus on security software and appliances. Commercial surveillance vendors lead browser and mobile device exploits. People\'s Republic of China (PRC) remains the top state-backed exploiter of zero-days. Financially-motivated attacks proportionally decreased. Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don\'t expect this activity to decrease anytime soon. Progress is being made on all fronts, but zero-day vulnerabilities remain a major threat. A Look Back - 2023 Zero-Day Activity at a Glance Barracuda ESG: CVE-2023-2868 Barracuda disclosed in May 2023 that a zero-day vulnerability (CVE-2023-2868) in their Email Security Gateway (ESG) had been actively exploited since as early as October 2022. Mandiant investigated and determined that UNC4841, a suspected Chinese cyber espionage actor, was conducting attacks across multiple regions and sectors as part of an espionage campaign in support of the PRC. Mandiant released a blog post with findings from the initial investigation, a follow-up post with more details as the investigation continued |
Vulnerability Threat Mobile Cloud Technical | ★★ | |
|
2024-03-22 11:00:00 | APT29 utilise Wineloader pour cibler les partis politiques allemands APT29 Uses WINELOADER to Target German Political Parties (lien direct) |
Résumé exécutif fin février, l'APT29 a utilisé une nouvelle variante de porte dérobée suivie publiquement comme wineloader pour cibler les fêtes politiques allemandes avecun leurre sur le thème de la CDU. & nbsp; & nbsp; C'est la première fois que nous voyons ce cluster APT29 cible des partis politiques, indiquant une zone émergente émergenteFocus opérationnel au-delà du ciblage typique des missions diplomatiques. basée sur la responsabilité du SVR \\ de collecter l'intelligence politique et cette cluster APT29 \\ 'sModèles de ciblage historiques, nous jugeons cette activité pour présenter une large menace pour les partis politiques européens et autres occidentaux de tous les politiques
Executive SummaryIn late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political |
Threat | APT 29 | ★★ |
|
2024-03-22 00:00:00 | APT29 Uses WINELOADER to Target German Political Parties (lien direct) | Written by: Luke Jenkins, Dan Black
Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. Please see the Technical Annex for technical details and MITRE ATT&CK techniques, (T1543.003, T1012, T1082, T1134, T1057, T1007, T1027, T1070.004, T1055.003 and T1083) Threat Detail In late February 2024, Mandiant identified APT29 - a Russian Federation backed threat group linked by multiple governments to Russia\'s Foreign Intelligence Service (SVR) - conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29\'s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor variant publicly tracked as WINELOADER. Notably, this activity represents a departure from this APT29 initial access cluster\'s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster. Additionally, while APT29 has previously used lure documents bearing the logo of German government organizations, this is the first instance where we have seen the group use German-language lure content - a possible artifact of the targeting differences (i.e. domestic vs. foreign) between the two operations. Phishing emails were sent to victims purporting to be an invite to a dinner reception on 01 March bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany (see Figure 1). The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website “https://waterforvoiceless[.]org/invite.php”. ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”. WINELOADER was first observed in operational use in late January 2024 in an operation targeting likely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru. The backdoor contains several features and functions that overlap with several known APT29 malware families including BURNTBATTER, MUSKYBEAT and BEATDROP, indicating they are likely created by a common developer (see Technical Annex for additional details). |
Malware Threat Cloud Technical | APT 29 | ★★★ |
|
2024-03-21 09:00:00 | Rendre l'accès - Les courtiers d'accès initiaux exploitent F5 Big-IP (CVE-2023-46747) et ScreenConnect Bringing Access Back - Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect (lien direct) |
Au cours d'une enquête d'intrusion fin octobre 2023, Mandiant a observé une nouvelle exploitation n-day de & nbsp; CVE-2023-46747 Interface utilisateur de gestion du trafic Big-IP F5.De plus, en février 2024, nous avons observé l'exploitation de ConnectWise Screenconnect CVE-2024-1709 par le même acteur.Ce mélange d'outillage personnalisé et du cadre SuperShell exploité dans ces incidents est évalué avec une confiance modérée pour être unique pour une menace de la République de Chine (PRC), unc5174. Mandiant évalue UNC5174 (censé utiliser le personnage "Uteus") est un ancien membre de la Chine
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People\'s Republic of China (PRC) threat actor, UNC5174.Mandiant assesses UNC5174 (believed to use the persona "Uteus") is a former member of Chinese |
Threat | ★★ | |
|
2024-03-21 00:00:00 | Bringing Access Back - Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect (lien direct) | Written by: Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People\'s Republic of China (PRC) threat actor, UNC5174. Mandiant assesses UNC5174 (believed to use the persona "Uteus") is a former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China\'s Ministry of State Security (MSS) focused on executing access operations. UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, UK government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation. In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada. Targeting and Timeline UNC5174 has been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and UK government organizations during October and November 2023, as well as in February 2024. The actor appears primarily focused on executing access operations. Mandiant observed UNC5174 exploiting various vulnerabilities during this time. ConnectWise ScreenConnect Vulnerability CVE-2024-1709 F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747 Atlassian Confluence CVE-2023-22518 Linux Kernel Exploit CVE-2022-0185 Zyxel Firewall OS Command Injection Vulnerability CVE-2022-30525 Investigations revealed several instances of UNC5174 infrastructure, exposing the attackers\' bash command history. This history detailed artifacts of extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions. Additionally, key strategic targets like think tanks in the U.S. and Taiwan were identified; however, Mandiant does not have significant evidence to determine successful exploitation of these targets. 
Figure 1: UNC5174 global targeting map
Initial Disclosure of CVE-2023-46747
On Oct. 25, 2023, Praetorian published an advisory and proof-of-concept (PoC) for a zero-day (0-day) vulnerabil |
Malware Tool Vulnerability Threat Cloud | ★★★ | |
|
2024-02-28 00:00:00 | Quand les chats volent: l'acteur de menace iranienne présumée UNC1549 cible les secteurs de l'aérospatiale et de la défense israéliens et du Moyen-Orient When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors (lien direct) |
Aujourd'hui, Mandiant publie un article de blog sur & nbsp; Activité d'espionnage Iran-Nexus présumée ciblant les industries aérospatiales, de l'aviation et de la défense au Moyen-Orient Des pays, dont Israël et les Émirats arabes unis (EAU) et potentiellement la Turquie, l'Inde et l'Albanie. & nbsp; mandiant attribue cette activité avec une confiance modéréeà l'acteur iranien UNC1549 , qui chevauche & nbsp; tortue -Un acteur de menace qui a été publiquement & nbsp; lié à & nbsp; Le Corps de la Garde révolutionnaire islamique de l'Iran \\ (IRGC) .Tortoirhesell a déjà tenté de compromettre les chaînes d'approvisionnement en ciblant les entrepreneurs de défense et il
Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania. Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell-a threat actor that has been publicly linked to Iran\'s Islamic Revolutionary Guard Corps (IRGC). Tortoiseshell has previously attempted to compromise supply chains by targeting defense contractors and IT |
Threat | ★★★ | |
|
2024-02-27 21:30:00 | Cutting avant, partie 3: Enquête sur Ivanti Connect Secure Secure VPN Exploitation et Tentatives de persistance Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts (lien direct) |
Les enquêtes de mandiant et ivanti \\ sur les larges et nbsp; Ivanti Exploitation zéro-jour se sont poursuivis à travers une variété de verticales de l'industrie, y compris le secteur de la base industrielle de la défense américaine.Après la publication initiale du 10 janvier 2024, Mandiant a observé des tentatives de masse pour exploiter ces vulnérabilités par un petit nombre d'acteurs de la menace de Chine-Nexus, et le développement d'un byligation d'exploitation de ciblage & nbsp; CVE-2024-21893 utilisé par & nbsp; unc5325 , que nous avons introduit dans notre & nbsp; " Cutting Edge, partie 2 "Blog Article . & nbsp; notamment, Mandiant a identifié unc5325 en utilisant une combinaison de vie-the-land (LOTL)
Mandiant and Ivanti\'s investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Following the initial publication on Jan. 10, 2024, Mandiant observed mass attempts to exploit these vulnerabilities by a small number of China-nexus threat actors, and development of a mitigation bypass exploit targeting CVE-2024-21893 used by UNC5325, which we introduced in our "Cutting Edge, Part 2" blog post. Notably, Mandiant has identified UNC5325 using a combination of living-off-the-land (LotL) |
Vulnerability Threat Industrial | ★★ | |
|
2024-02-21 00:00:00 | Dévoiler l'évaluation de l'échéance du programme d'intelligence de cyber-menace de Maniant Unveiling Mandiant\\'s Cyber Threat Intelligence Program Maturity Assessment (lien direct) |
Dans le cadre de l'engagement continu de Google Cloud \\ à améliorer l'état global de cybersécurité pour la société, Mandiant publie aujourd'hui publiquement un Discovery des capacités d'intelligence basées sur les web (ICD) pour aider les organisations commerciales et gouvernementales à évaluerLa maturité de leur programme d'intelligence cyber-menace (CTI).La CIM est conçue pour fournir aux praticiens de la cybersécurité et aux dirigeants du renseignement des menaces une estimation de la façon dont le programme CTI \\ de l'organisation crée un impact organisationnel positif et réduit le risque pour l'entreprise.La CIM joue un critique
As part of Google Cloud\'s continuing commitment to improving the overall state of cybersecurity for society, today Mandiant is publicly releasing a web-based Intelligence Capability Discovery (ICD) to help commercial and governmental organizations evaluate the maturity of their cyber threat intelligence (CTI) program. The ICD is designed to provide cyber security practitioners and threat intelligence leaders with an estimate of how effectively and efficiently the organization\'s CTI program is creating a positive organizational impact and reducing risk for the business. The ICD plays a critical |
Threat Cloud Commercial | ★★★ | |
|
2024-01-31 16:30:00 | Cutting Edge, partie 2: Enquêter Ivanti Connect Secure VPN Exploitation Zero-Day Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation (lien direct) |
Le 12 janvier 2024, Mandiant a publié un Article de blog Détaillant deux vulnérabilités à haut impact, CVE-2023-46805 et CVE-2024-21887 , affectant Ivanti Connect Secure VPN (CS, anciennement Secure Secure) et Ivanti Secure (Ps) Appareils.Le 31 janvier 2024, Ivanti divulgué Deux vulnérabilités supplémentaires ayant un impact sur les dispositifs CS et PS, CVE-2024-21888 et CVE-2024-21893. Les vulnérabilités permettent à un acteur de menace non authentifié d'exécuter des commandes arbitraires sur l'appareil avec des privilèges élevés.Comme indiqué précédemment, Mandiant a identifié l'exploitation zéro jour de ces vulnérabilités
On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and Ivanti Policy Secure (PS) appliances. On Jan. 31, 2024, Ivanti disclosed two additional vulnerabilities impacting CS and PS devices, CVE-2024-21888 and CVE-2024-21893.The vulnerabilities allow for an unauthenticated threat actor to execute arbitrary commands on the appliance with elevated privileges. As previously reported, Mandiant has identified zero-day exploitation of these vulnerabilities |
Vulnerability Threat | ★★ | |
|
2024-01-19 17:30:00 | Le groupe d'espionnage chinois UNC3886 a trouvé l'exploitation du CVE-2023-34048 depuis la fin 2021 Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 (lien direct) |
Bien que signalé et corrigé publiquement en octobre 2023, la sécurité des produits Mandiant et VMware a trouvé unc3886 , un groupe d'espionnage China-Nexus très avancé, a exploité CVE-2023-34048 jusqu'à la fin 2021. Ces résultats proviennent de la recherche continue de Maniant \\ de Les nouveaux chemins d'attaque utilisés par unc3886 , qui se concentre historiquement sur les technologies qui ne sont pas en mesure de les déployer par EDR.UNC3886 a une expérience en utilisant des vulnérabilités zéro-jours pour terminer leur mission sans être détectée, et ce dernier exemple démontre en outre leurs capacités. Lorsque vous couvrez
While publicly reported and patched in October 2023, Mandiant and VMware Product Security have found UNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as late 2021.These findings stem from Mandiant\'s continued research of the novel attack paths used by UNC3886, which historically focuses on technologies that are unable to have EDR deployed to them. UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities. When covering |
Vulnerability Threat | ★★★★ | |
|
2024-01-11 02:00:00 | Cutting avant: cibles présumées APT Ivanti Connect Secure VPN dans une nouvelle exploitation zéro-jour Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation (lien direct) |
Remarque: Il s'agit d'une campagne de développement sous analyse active de Mandiant et Ivanti.Nous continuerons à ajouter plus d'indicateurs, de détections et d'informations à ce billet de blog au besoin. le 10 janvier 2024, ivanti divulgué Deux vulnérabilités, CVE-2023-46805 et CVE-2024-21887 , impactant Ivanti Connect Secure VPN (" CS ", anciennement Secure Secure) et Ivanti Secure (" PS") appareils électroménagers.Une exploitation réussie pourrait entraîner un contournement d'authentification et une injection de commandement, entraînant un autre compromis en aval d'un réseau de victimes.Mandiant a identifié l'exploitation zéro-jour de ces vulnérabilités
Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed.On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities |
Vulnerability Threat | ★★★ | |
|
2023-12-14 21:00:00 | Le cyber-instantané du défenseur du défenseur, le numéro 5 - Insiders, applications et risque atténuant The Defender\\'s Advantage Cyber Snapshot, Issue 5 - Insiders, Applications, and Mitigating Risk (lien direct) |
Le rapport de cyber-instantan avant le défenseur \\ fournit un aperçu des sujets de cyber-défense d'une importance croissante en fonction des observations de première ligne mandiantes et des expériences du monde réel. La cinquième édition couvre un large éventail de sujets, y compris l'idéologie et le paysage des menaces d'initiés, des étapes critiques pour aider à atténuer votre cyber-risque, la croissance de la croissance deCiblage de l'industrie maritime, sécurisation de la cyber-défenses de votre application, et l'importance de la chasse aux menaces dirigée par le renseignement. Téléchargez l'avantage complet du Defender \\ du défenseur complet, le numéro 5 du rapport Pour en savoir plusÀ propos de ces cinq sujets chauds: compresseur
The Defender\'s Advantage Cyber Snapshot report provides insights into cyber defense topics of growing importance based on Mandiant frontline observations and real-world experiences. The fifth edition covers a wide range of topics, including the ideology and landscape of insider threats, critical steps to help mitigate your cyber risk, the growth of maritime industry targeting, securing your application\'s cyber defenses, and the importance of intelligence-led threat hunting.Download the full Defender\'s Advantage Cyber Snapshot, Issue 5 report to learn more about these five hot topics: Understan |
Threat | ★★ | |
|
2023-12-14 17:00:00 | Ouvrir une boîte de publicités Whoop: détecter et perturber une campagne de malvertisation distribuant des déambulations Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors (lien direct) |
Plus tôt cette année, l'équipe de chasse des menaces de défense gérée de Mandiant \\ a identifié une campagne de publicité malveillante («malvertisante») UNC2975 faisant la promotion de sites Web malveillants sur le thème des fonds non réclamés.Cette campagne remonte au moins le 19 juin 2023, et a abusé du trafic de moteurs de recherche et des publicités malveillantes à effet de levier pour affecter plusieurs organisations, ce qui a entraîné la livraison des délais de Danabot et Darkgate. La défense gérée a travaillé avec des pratiques avancées et avec l'équipe anti-Malvertising Google pour supprimer les publicités malveillantes de l'écosystème d'annonces, puis
Earlier this year, Mandiant\'s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign promoting malicious websites themed around unclaimed funds. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors.Managed Defense worked with Advanced Practices and with the Google Anti-Malvertising team to remove the malicious advertisements from the ads ecosystem, and subsequently |
Threat | ★★ | |
|
2023-11-30 17:00:00 | Amélioration des outils d'analyse des logiciels malveillants de Flare \\ à Google Summer of Code 2023 Improving FLARE\\'s Malware Analysis Tools at Google Summer of Code 2023 (lien direct) |
Cet été a marqué la première année de la première année de l'équipe Flare \\ à googleÉté du code (GSOC) .GSOC est un programme mondial de mentorat en ligne axé sur l'introduction de nouveaux contributeurs au développement de logiciels open source.Les contributeurs du GSOC travaillent avec des mentors pour réaliser des projets de plus de 12 semaines qui soutiennent les organisations open source.En 2023, Flare a été acceptée en GSOC et a eu le privilège de travailler avec quatre contributeurs. Flare est une équipe d'ingénieurs et de chercheurs insensés qui se spécialisent dans l'analyse des logiciels malveillants, Exploiter Analyse et formation de logiciels malveillants.Flare développe, maintient et publie divers ouverts
This summer marked the FLARE team\'s first year participating in Google Summer of Code (GSoC). GSoC is a global online mentoring program focused on introducing new contributors to open source software development. GSoC contributors work with mentors to complete 12+ week projects that support open source organizations. During 2023 FLARE was accepted into GSoC and had the privilege of working with four contributors.FLARE is a team of reverse engineers and researchers who specialize in malware analysis, exploit analysis, and malware training. FLARE develops, maintains, and publishes various open |
Malware Tool Threat | ★★★ | |
|
2023-11-16 18:00:00 | Menace d'initié: chasse et détection Insider Threat: Hunting and Detecting (lien direct) |
La menace d'initié est un défi à multiples facettes qui représente aujourd'hui un risque de cybersécurité significatif pour les organisations.Certains sont des initiés malveillants tels que les employés qui cherchent à voler des données ou à saboter l'organisation.Certains sont des initiés involontaires tels que des employés qui commettent des erreurs imprudents ou sont victimes de phisses. Si vous avez besoin d'un rafraîchissement sur les menaces d'initiés ou leur impact, veuillez vous référer à nos articles de blog précédents: menace d'initié: les dangers à l'intérieur menace d'initié: Études d'impact L'identification des menaces d'initié devient de plus en plus importante.Les initiés malveillants transportent souvent
The insider threat is a multifaceted challenge that represents a significant cybersecurity risk to organizations today. Some are malicious insiders such as employees looking to steal data or sabotage the organization. Some are unintentional insiders such as employees who make careless mistakes or fall victim to phishing attacks. If you need a refresher on what insider threats are or their impact, please refer to our previous blog posts:Insider Threat: The Dangers WithinInsider Threat: Impact StudiesIdentifying insider threats is becoming increasingly important. Malicious insiders often carry |
Threat | ★★★★ | |
|
2023-11-14 17:00:00 | Le processus CTI Hyperloop: une mise en œuvre pratique du cycle de vie du processus CTI The CTI Process Hyperloop: A Practical Implementation of the CTI Process Lifecycle (lien direct) |
Implémentation du cycle de vie du processus CTI en tant que Hyperloop Le cycle Hyperloop de renseignement est un modèle de mise en œuvre du cyber-menace Intelligence (CTI).Le cycle de vie est un processus bien établi décrivant la façon dont les produits d'intelligence sont motivés par la planification et la direction initialement, suivis des phases de collecte, de traitement, d'analyse, de production et de diffusion.La nature cyclique décrit comment les produits diffusés éclairent ensuite une nouvelle étape de planification et de direction d'un nouveau cycle. | Threat | ★★★★ | |
|
2023-11-09 15:00:00 | Le ver de sable perturbe le pouvoir en Ukraine en utilisant une nouvelle attaque contre la technologie opérationnelle Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology (lien direct) |
fin 2022, Mandiant a répondu à un incident de cyber-physique perturbateur dans lequel l'acteur de menace lié à la Russie a ciblé une organisation d'infrastructure critique ukrainienne.Cet incident était une cyberattaque multi-événements qui a exploité une nouvelle technique pour avoir un impact sur les systèmes de contrôle industriel (CI) / technologie opérationnelle (OT).L'acteur a d'abord utilisé le niveau OT vivant des techniques terrestres (LOTL) pour déclencher probablement les disjoncteurs de sous-station de la victime, provoquant une panne de courant imprévue qui coïncidait avec les frappes de missiles de masse sur les infrastructures critiques à travers l'Ukraine.Sandworm plus tard
In late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack that leveraged a novel technique for impacting industrial control systems (ICS) / operational technology (OT). The actor first used OT-level living off the land (LotL) techniques to likely trip the victim\'s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. Sandworm later |
Threat Industrial | APT 28 | ★★ |
|
2023-10-13 11:15:00 | Mises à jour des produits de renseignement Mandiant Threat pour octobre 2023 Mandiant Threat Intelligence Product Updates for October 2023 (lien direct) |
mandiantIntelligence de menace a ajouté un certain nombre de fonctionnalités et capacités nouvelles et mises à jour, qui sont désormais disponibles dans l'aperçu public ou la disponibilité générale.Ces nouvelles capacités vous aident à gagner du temps et à mieux comprendre les menaces vous ciblant.
Aperçu public
Surveillance des informations d'identification compromises: Surveillez vos informations d'identification compromises qui peuvent avoir fui sur la toile profonde et sombre.Les capacités de surveillance des informations d'identification compromises dans Surveillance des menaces numériques peut vous alerter automatiquement si des comptes liés à votre organisation - les deux employés interneset les clients - ont
Mandiant Threat Intelligence has added a number of new and updated features and capabilities, which are now available in public preview or general availability. These new capabilities help you save time and gain more insight into the threats targeting you. Public Preview Compromised credentials monitoring: Monitor your compromised credentials that may have leaked on the deep and dark web. The compromised credentials monitoring capabilities in Digital Threat Monitoring can automatically alert you if any accounts linked to your organization - both internal employees and customers - have |
Threat | ★★★ | |
|
2023-10-10 07:00:00 | Évalué la cyber-structure et les alignements de la Corée du Nord en 2023 Assessed Cyber Structure and Alignments of North Korea in 2023 (lien direct) |
résumé exécutif
Le programme offensif de DPRK \\ continue d'évoluer, montrant que le régime est déterminé à continuer à utiliser des cyber-intrusions pour mener les deuxEspionage et crime financier pour projeter le pouvoir et financer à la fois leurs capacités cyber et cinétiques.
Les dernières opérations de Nexus DPRK font allusion à une augmentation de l'adaptabilité et de la complexité, y compris une attaque de chaîne d'approvisionnement en cascade vue pour la première fois, et ciblant régulièrementBlockchain et fintech verticals.
Alors que différents groupes de menaces partagent des outils et du code, l'activité de menace nord-coréenne continue de s'adapter et de changer
Executive Summary The DPRK\'s offensive program continues to evolve, showing that the regime is determined to continue using cyber intrusions to conduct both espionage and financial crime to project power and to finance both their cyber and kinetic capabilities. Latest DPRK nexus operations hint at an increase in adaptability and complexity, including a cascading software supply chain attack seen for the first time, and consistently targeting blockchain and fintech verticals. While different threat groups share tooling and code, North Korean threat activity continues to adapt and change |
Threat | ★★★ | |
|
2023-09-14 17:00:00 | Pourquoi tu m'envoyez un texto?UNC3944 tire parti des campagnes de phishing SMS pour l'échange de SIM, les ransomwares, l'extorsion et la notoriété Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety (lien direct) |
unc3944 est un cluster de menace motivé financièrement qui a utilisé de manière persistante Génie social basé sur téléphone et les campagnes de phishing SMS (SMSHing) pour obtenir des informations d'identification pour gagner et augmenter l'accès aux organisations victimes.Au moins, certains acteurs de la menace UNC3944 semblent opérer dans des communautés souterraines, telles que Telegram et Forums Underground, qu'ils peuvent exploiter pour acquérir des outils, des services et / ou d'autres soutiens pour augmenter leurs opérations.Cette activité chevauche une activité qui a été rapportée dans des sources ouvertes comme " 0ktapus , "" disperser les porcs , "et" Araignée dispersée . "Depuis 2022 et via
UNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smshing) to obtain credentials to gain and escalate access to victim organizations. At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations. This activity overlaps with activity that has been reported in open sources as "0ktapus," "Scatter Swine," and "Scattered Spider." Since 2022 and through |
Threat | ★★ | |
|
2023-08-30 09:30:00 | Revisiter des conseils de sécurité traditionnels pour les menaces modernes Revisiting Traditional Security Advice for Modern Threats (lien direct) |
Les attaques modernes ciblant les chaînes d'approvisionnement, en utilisant des exploits zéro-jour et en exploitant les vulnérabilités dans les appareils de sécurité ont inondé les salles de rédaction, les salles de conférence et la menacerapporte ces derniers mois.Certains exemples ont été uniques et intéressants, y compris le 3cx Compromis de chaîne d'approvisionnement du logiciel lié aux compromis de la chaîne d'approvisionnement du logiciel des technologies de trading, et le Compromis de chaîne d'approvisionnement de JumpCloud qui a été rendu possible par une campagne sophistiquée de phishing de lance.D'autres exemples ont été légèrement plus traditionnels, comme l'exploitation de Vulnérabilités dans les appareils de sécurité tels quecomme
Modern attacks targeting supply chains, using zero-day exploits, and exploiting vulnerabilities in security appliances have been flooding newsrooms, boardrooms and threat reports in recent months. Some examples have been unique and interesting, including the 3CX software supply chain compromise linked to Trading Technologies software supply chain compromise, and the supply chain compromise of JumpCloud that was made possible by a sophisticated spear phishing campaign. Other examples have been slightly more traditional, such as exploitation of vulnerabilities in security appliances such as |
Vulnerability Threat | ★★★ | |
|
2023-08-29 07:00:00 | Plongée profondément dans les opérations UNC4841 après la correction de Barracuda ESG (CVE-2023-2868) Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) (lien direct) |
Le 15 juin 2023, mandiant libéré un article de blog détaillant un espionnage global de 8 mois Un4841 .Dans cet article de blog de suivi, nous détaillerons des tactiques, des techniques et des procédures supplémentaires (TTP) employés par UNC4841 qui ont depuis été découverts par le biais des engagements de réponse aux incidents de Mandiant, ainsi que par des efforts de collaboration avec les réseaux de Barracuda et notrePartenaires du gouvernement international.
Au cours de cet article de blog, Mandiant détaillera comment UNC4841 a continué à montrer la sophistication et l'adaptabilité dans
On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we will detail additional tactics, techniques, and procedures (TTPs) employed by UNC4841 that have since been uncovered through Mandiant\'s incident response engagements, as well as through collaborative efforts with Barracuda Networks and our International Government partners. Over the course of this blog post, Mandiant will detail how UNC4841 has continued to show sophistication and adaptability in |
Threat | ★★★ | |
|
2023-08-24 09:00:00 | L'IA et les cinq phases du cycle de vie de l'intelligence des menaces AI and the Five Phases of the Threat Intelligence Lifecycle (lien direct) |
L'intelligence artificielle (IA) et les modèles de grandes langues (LLM) peuvent aider les équipes de renseignement à détecter et à comprendre les nouvelles menaces à grande échelle,Réduisez le labeur induisant l'épuisement professionnel et développez leur talent existant en démocratisant l'accès à l'expertise en la matière.Cependant, un large accès aux données fondamentales de l'intelligence open source (OSINT) et aux technologies AI / ML a rapidement conduit à une quantité écrasante de bruit pour les utilisateurs.Mandiant, en revanche, adopte une approche plus nuancée pour fusionner l'expertise de pointe, des sources de données propriétaires uniques et une ML de pointe pour permettre à un >
Artificial intelligence (AI) and large language models (LLMs) can help threat intelligence teams to detect and understand novel threats at scale, reduce burnout-inducing toil, and grow their existing talent by democratizing access to subject matter expertise. However, broad access to foundational Open Source Intelligence (OSINT) data and AI/ML technologies has quickly led to an overwhelming amount of noise for users to sift through. Mandiant, by contrast, takes a more nuanced approach to fuse industry-leading expertise, unique proprietary data sources, and cutting-edge ML to enable a holistic |
Threat | ★★★★ | |
|
2023-08-17 07:00:00 | Les acteurs de la menace sont intéressés par une IA générative, mais l'utilisation reste limitée Threat Actors are Interested in Generative AI, but Use Remains Limited (lien direct) |
Depuis au moins 2019, Mandiant a suivi l'intérêt des acteurs de la menace et des capacités d'IA pour faciliter une variété d'activités malveillantes.Sur la base de nos propres observations et comptes open source, l'adoption de l'IA dans les opérations d'intrusion reste limitée et principalement liée à l'ingénierie sociale.
En revanche, les acteurs des opérations de l'information de diverses motivations et capacités ont de plus en plus exploité le contenu généré par l'IA, en particulier l'imagerie et la vidéo, dans leurs campagnes, probablementDû au moins en partie aux applications facilement apparentes de ces fabrications dans la désinformation
Since at least 2019, Mandiant has tracked threat actor interest in, and use of, AI capabilities to facilitate a variety of malicious activity. Based on our own observations and open source accounts, adoption of AI in intrusion operations remains limited and primarily related to social engineering. In contrast, information operations actors of diverse motivations and capabilities have increasingly leveraged AI-generated content, particularly imagery and video, in their campaigns, likely due at least in part to the readily apparent applications of such fabrications in disinformation |
Threat | ★★★ | |
|
2023-08-14 14:30:00 | Indicateurs du scanner de compromis pour Citrix ADC Zero-Day (CVE-2023-3519) Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) (lien direct) |
mandiant a récemment publié un Article de blog sur le compromis de Citrix NetScaler Delivery Controller (ADC) et des appareils de passerelle NetScaler liés à la vulnérabilité du jour zéro suivi sous le nom de cve-2023-3519 .Le CVE-2023-3519 est une vulnérabilité zéro-jour qui peut permettre l'exécution du code distant, et a été observé exploité dans la nature par un acteur de menace cohérent avec une Chine-Nexus basée sur des capacités connues et une histoire de ciblage des ADC Citrix.Récemment, la preuve de concepts pour exploiter cette vulnérabilité a été publiquement posté .
Aujourd'hui, nous publions un outil pour aider
Mandiant recently published a blog post about the compromise of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Appliances related to the zero-day vulnerability tracked as CVE-2023-3519. CVE-2023-3519 is a zero-day vulnerability that can enable remote code execution, and has been observed being exploited in the wild by a threat actor consistent with a China-nexus based on known capabilities and history of targeting Citrix ADCs. Recently, proof-of-concepts to exploit this vulnerability have been publicly posted. Today we are releasing a tool to help |
Tool Vulnerability Threat | ★★★ | |
|
2023-08-03 11:30:00 | Le rapport sur les horizons de menace d'août 2023 fournit des informations et des recommandations axées sur la cybersécurité axées August 2023 Threat Horizons Report Provides Cloud-Focused Cybersecurity Insights and Recommendations (lien direct) |
Le rapport Google Cloud Keners Horizons a été lancé pour la première fois en novembre 2021 dans le but ultime de fournir aux décideurs de sécurité des informations stratégiques sur les menaces pour les utilisateurs des entreprises dans le cloud, ainsi que les données, les métriques, les tendances et les recherches supplémentaires sur le cloud.Peut-être plus important encore, le rapport visait à fournir des recommandations des équipes de renseignement et de sécurité de Google \\ pour aider les défenseurs à protéger, à détecter et à répondre aux derniers cloud et autres menaces.
Aujourd'hui marque la sortie de la septième édition de notre publication trimestrielle, août 2023 Rapport des horizons de menace , Et notre
The Google Cloud Threat Horizons Report first launched in November 2021 with the ultimate goal of providing security decision-makers with strategic intelligence about threats to cloud enterprise users, along with data, metrics, trends, and additional cloud research. Perhaps most importantly, the report aimed to provide recommendations from Google\'s intelligence and security teams to help defenders protect against, detect, and respond to the latest cloud and other threats. Today marks the release of the seventh edition of our quarterly publication, August 2023 Threat Horizons Report, and our |
Threat Cloud | ★★★ | |
|
2023-08-03 09:30:00 | Google a nommé un leader du service de renseignement des menaces externes Forrester Wave ™ Google Named a Leader in the External Threat Intelligence Service Forrester Wave™ (lien direct) |
 google a été nommé leader dans The Forrester Wave ™: External Threat Intelligence Service Providers, Q3 2023 .Forrester a identifié 12 grandes entreprises dans l'espace de renseignement des menaces et Google a reçu le score le plus élevé possible en 15 des 29 critères.
Le rapport Forrester indique: "Google est prêt à devenir le fournisseur de renseignement de menace le plus pertinent et le plus dominant."De plus, l'acquisition de Google \\ de Mandiant et la puissance des intégrations sont mentionnées dans le rapport: «Les offres mandiantes peuvent désormais tirer parti de la puissance, de l'échelle et de l'innovation de Google pour découvrir, personnaliser et
 Google was named a Leader in The Forrester Wave™: External Threat Intelligence Service Providers, Q3 2023. Forrester identified 12 top companies in the threat intelligence space and Google received the highest possible score in 15 out of the 29 criteria.
The Forrester report states, “Google is poised to become the most relevant and dominant threat intelligence provider.” Additionally, Google\'s acquisition of Mandiant and the power of the integrations are mentioned in the report, “The Mandiant offerings can now leverage the power, scale, and innovation of Google to discover, personalize, and |
Threat | ★★ | |
|
2023-08-02 09:00:00 | Silos transcendant: améliorer la collaboration entre l'intelligence des menaces et le cyber-risque Transcending Silos: Improving Collaboration Between Threat Intelligence and Cyber Risk (lien direct) |
Le renseignement des cyber-menaces (CTI) et la gestion des risques sont devenus des disciplines distinctes, mais ils partagent de nombreuses similitudes dans leur mission.Les deux approches éclairent la prise de décision en fournissant des informations de haute qualité sur les menaces et les risques les plus pertinents qui ont un impact sur les organisations.Bien que les équipes de risques et de CTI abordent ce défi à partir de différents points de vue, leur mission partagée sous-jacente crée des opportunités passionnantes de collaboration.La collaboration offre également une occasion sans frais de transformer le personnel sur des compétences complémentaires, augmentant la capacité existante pour aborder le plus grand inhibiteur
Cyber Threat Intelligence (CTI) and risk management have emerged as distinct disciplines, yet they share many similarities in their mission. Both approaches inform decision-making by providing high-quality insight on the most relevant threats and risks impacting organizations. Although risk and CTI teams approach this challenge from different vantage points, their underlying shared mission creates exciting opportunities for collaboration. Collaboration also provides a no-cost opportunity to cross-train staff on complementary skills, augmenting existing capacity to address the biggest inhibitor |
Threat | ★★★ | |
|
2023-07-21 16:00:00 | Exploitation de Citrix Zero-Day par d'éventuels acteurs d'espionnage (CVE-2023-3519) Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) (lien direct) |
Remarque: Il s'agit d'une campagne de développement sous analyse active.Nous continuerons d'ajouter plus d'indicateurs, de conseils de chasse et d'informations à cet article de blog au besoin.
Les périphériques de sécurité et de réseautage sont des "périphériques Edge", ce qui signifie qu'ils sont connectés à Internet.Si un attaquant réussit à exploiter une vulnérabilité sur ces appareils, il peut obtenir un accès initial sans interaction humaine, ce qui réduit les chances de détection.Tant que l'exploit reste inconnu, l'acteur de menace peut le réutiliser pour accéder à des victimes supplémentaires ou rétablir l'accès aux systèmes ciblés
Note: This is a developing campaign under active analysis. We will continue to add more indicators, hunting tips, and information to this blog post as needed. Security and networking devices are "edge devices," meaning they are connected to the internet. If an attacker is successful in exploiting a vulnerability on these appliances, they can gain initial access without human interaction, which reduces the chances of detection. As long as the exploit remains undiscovered, the threat actor can reuse it to gain access to additional victims or reestablish access to targeted systems |
Vulnerability Threat | ★★★ | |
|
2023-07-18 09:00:00 | Mode furtif: les acteurs chinois de cyber-espionnage continuent d'évoluer les tactiques pour éviter la détection Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection (lien direct) |
Mandiant Intelligence suit plusieurs façons dont l'activité de cyber-espionnage chinoise a de plus en plus profité des stratégies initiales d'accès et de post-compromis destinées à minimiser les opportunités de détection.Plus précisément, cette analyse met en évidence les groupes de menaces chinoises \\ 'Exploitation de zéro-jours dans les logiciels de sécurité, de réseautage et de virtualisation, et le ciblage des routeurs et d'autres méthodes pour relayer et déguiser le trafic d'attaquant à l'extérieur et à l'intérieur des réseaux de victimes.Nous évaluons avec une grande confiance que les groupes de cyber-espionnage chinois utilisent ces techniques pour éviter la détection et
Mandiant Intelligence is tracking several ways in which Chinese cyber espionage activity has increasingly leveraged initial access and post-compromise strategies intended to minimize opportunities for detection. Specifically, this analysis highlights Chinese threat groups\' exploitation of zero-days in security, networking, and virtualization software, and targeting of routers and other methods to relay and disguise attacker traffic both outside and inside victim networks. We assess with high confidence that Chinese cyber espionage groups are using these techniques to avoid detection and |
Threat | ★★★★ | |
|
2023-06-13 09:00:00 | VMware Esxi Zero-Day utilisé par l'acteur d'espionnage chinois pour effectuer des opérations invitées privilégiées sur des hyperviseurs compromis VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors (lien direct) |
nécessite l'accès à l'hyperviseur pour exploiter la vulnérabilité (par exempleGrâce aux informations d'identification ESXi volées)
En tant que solutions de détection et de réponse (EDR) (EDR) améliorer l'efficacité de détection de logiciels malveillants sur les systèmes Windows et Linux, certains acteurs de menace parrainés par l'État se sont déplacés vers le développementet déploiement de logiciels malveillants sur des systèmes qui ne prennent généralement pas en charge Edr tels que les appareils réseau, les tableaux SAN, etHôtes VMware ESXi.
À la fin de 2022, les détails publiés mandiant entourant un Nouveau système de logiciels malveillants Déploié par unc3886, un groupe de cyber-espionnage chinois, qui Impact hôtes VMware ESXi impactés ESXI Hosts ESXi impactés ESXi hôtes ESXi Hosts VMware ESXI Hosts VMware ESXI IACT., serveurs vCenter
Requires access to the hypervisor to exploit the vulnerability (e.g. through stolen ESXi credentials) As Endpoint Detection and Response (EDR) solutions improve malware detection efficacy on Windows and Linux systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi hosts. In late 2022, Mandiant published details surrounding a novel malware system deployed by UNC3886, a Chinese cyber espionage group, which impacted VMware ESXi hosts, vCenter servers |
Malware Vulnerability Threat | ★★★★ | |
|
2023-05-22 09:00:00 | Don \\ 't @ moi: l'obscurcissement de l'URL à travers les abus de schéma Don\\'t @ Me: URL Obfuscation Through Schema Abuse (lien direct) |
Une technique est utilisée dans la distribution de plusieurs familles de logiciels malveillants qui obscurcissent la destination finale d'une URL en abusant du schéma URL .Mandiant suit cette méthodologie adversaire en tant que " URL Schema Obfuscation ” . La technique pourrait augmenter la probabilité d'une attaque de phishing réussie, et pourrait provoquer des erreurs d'extraction de domaine dans l'exploitation forestière ou l'outillage de sécurité. Si un réseau défense le réseauL'outil s'appuie sur la connaissance du serveur qu'une URL pointe vers (par exemple, la vérification si un domaine est sur un flux Intel de menace), il pourrait potentiellement le contourner et provoquer des lacunes dans la visibilité et la couverture.
A technique is being used in the distribution of multiple families of malware that obfuscates the end destination of a URL by abusing the URL schema. Mandiant tracks this adversary methodology as "URL Schema Obfuscation”. The technique could increase the likelihood of a successful phishing attack, and could cause domain extraction errors in logging or security tooling. If a network defense tool is relying on knowing the server a URL is pointing to (e.g. checking if a domain is on a threat intel feed), it could potentially bypass it and cause gaps in visibility and coverage. Common URL parsing |
Malware Tool Threat | ★★★★ | |
|
2023-05-18 09:00:00 | Une approche axée sur les exigences de l'intelligence cyber-menace A Requirements-Driven Approach to Cyber Threat Intelligence (lien direct) |
Cyber Threat Intelligence (CTI) sert un objectif large: informer, conseiller et autonomiser les parties prenantes au sein d'une organisation.Les fonctions de CTI réussies mettent invariablement les exigences de renseignement des parties prenantes au cœur de leur énoncé de mission.Mais, toute équipe CTI peut et doit adopter une approche axée sur les exigences.
Dans notre rapport, Une approche axée sur les exigences de l'intelligence cyber-menace , nous décrivons ce que signifie être axé sur les exigences dans la pratique.Nous offrons des conseils exploitables sur la façon dont les fonctions d'intelligence peuvent implémenter et optimiser une telle approche au sein de leurs organisations.
met en œuvre
Cyber threat intelligence (CTI) serves a broad purpose: to inform, advise, and empower stakeholders within an organization. Successful CTI functions invariably put stakeholder intelligence requirements at the heart of their mission statement. But, any CTI team can and should adopt a requirements-focused approach. In our report, A Requirements-Driven Approach to Cyber Threat Intelligence, we outline what it means to be requirements-driven in practice. We offer actionable advice on how intelligence functions can implement and optimize such an approach within their organizations. Implemen |
Threat | ★★ | |
|
2023-05-04 09:30:00 | Nouvelles intégrations d'intelligence de menace mandiante pour MISP, Splunk Siem et Soar, et Cortex Xsoar par Palo Alto Networks New Mandiant Threat Intelligence Integrations for MISP, Splunk SIEM and SOAR, and Cortex XSOAR by Palo Alto Networks (lien direct) |
Les professionnels de la sécurité sont souvent submergés par le nombre de consoles de gestion ou de plates-formes dont ils ont besoin pour sauter un jour donné.L'automatisation et le partage d'informations sur les flux de travail existants peuvent décharger ces équipes en éliminant les tâches banales et en réduisant l'erreur humaine.
Les intégrations SaaS mandiant gagnent du temps et aident à rendre les équipes de sécurité plus proactives.L'API de renseignement Mandiant Threat permet aux équipes de sécurité d'intégrer Intelligence de menace mandiante Données directement dans leurs outils de sécurité et flux de travail existants.
dans le cadre de notre engagement en cours à aider les équipes de sécurité à travailler
Security professionals are often overwhelmed by the number of management consoles or platforms they need to jump between on any given day. Automating and sharing information into existing workflows can unburden these teams by eliminating mundane tasks and reducing human error. Mandiant SaaS integrations save time and help make security teams more proactive. The Mandiant Threat Intelligence API allows security teams to integrate Mandiant Threat Intelligence data directly into their existing security tools and workflows. As part of our ongoing commitment to helping security teams work |
Tool Threat Cloud | ★★ | |
|
2023-04-04 10:30:00 | Score d'alerte à l'échelle de la machine avec une touche humaine Alert Scoring at Machine Scale with a Human Touch (lien direct) |
Protection des risques numériques est un composant clé de toute pile d'intelligence moderne de l'organisation à l'origine de la sécurité.L'avantage mandiant Surveillance des menaces numériques (dtm) Le module offre aux clients la possibilité de gagner une visibilité dans les menaces qui ciblent leurs actifsSur les réseaux sociaux, les sites Web profonds et sombres, les sites de pâte et d'autres canaux en ligne.DTM est composé de Pipelines de traitement du langage naturel avancé qui utilise l'apprentissage automatique pour faire surface d'alertes à haute fidélité basées sursur la détection d'entités significatives et de sujets liés à la sécurité.Mais même après le victoire de vastes collections de mandiant \\,
Digital risk protection is a key component of any security-minded organization\'s modern intelligence stack. The Mandiant Advantage Digital Threat Monitoring (DTM) module provides customers with the ability to gain visibility into threats that target their assets on social media, the deep and dark web, paste sites, and other online channels. DTM is composed of advanced natural language processing pipelines that use machine learning to surface high-fidelity alerts based on the detection of meaningful entities and security-related topics. But even after winnowing down Mandiant\'s vast collections |
Threat | ★★★ | |
|
2023-03-28 10:00:00 | APT43: le groupe nord-coréen utilise la cybercriminalité pour financer les opérations d'espionnage APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (lien direct) |
 Aujourd'hui, nous publions un rapport sur |
Threat | APT 43 APT 43 | ★★★★ |
|
2023-03-23 08:30:00 | UNC961 Dans le multivers de Mandiant: trois rencontres avec un acteur de menace motivé financièrement UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat Actor (lien direct) |
Les vulnérabilités d'application Web sont comme des portes: vous ne savez jamais qui ou quoi passera.Entre décembre 2021 et juillet 2022, le Maniant Managed Defense et Réponse des incidents Les équipes ont répondu à trois Un961 intrusions dans différentes organisations qui ont commencé chacune de manière similaire.Deux de ces victimes étaient sous la protection de la défense gérée qui a identifié et répondu à la menace avant un impact significatif.Dans la troisième intrusion, l'équipe de réponse aux incidents Mandiant a été contactée après que l'UNC961 avait compromis la victime et transféré l'accès à unc3966.
Ce blog
Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion. Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred. In the third intrusion, the Mandiant Incident Response team was contacted after UNC961 had compromised the victim and transferred access to UNC3966. This blog |
Vulnerability Threat | ★★★ | |
|
2023-03-20 07:00:00 | Déplacer, patcher, sortir le chemin: 2022 Exploitation zéro-jour continue à un rythme élevé Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace (lien direct) |
résumé exécutif
mandiant a suivi 55 vulnérabilités zéro jour que nous jugeons ont été exploitées en 2022. Bien que ce décompte soit inférieur à celui du record de 81 81zéro-jours exploités en 2021, il représente toujours presque le double du nombre de 2020.
Les groupes de cyber-espionnage parrainés par l'État chinois ont exploité plus de jours zéro que les autres acteurs de cyber-espionnage en 2022, ce qui est conforme aux années précédentes.
Nous avons identifié quatre vulnérabilités zéro jour exploitées par des acteurs de menace motivés financièrement.75% de ces instances semblent être liées aux opérations de ransomware.
Produits de Microsoft
Executive Summary Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost double the number from 2020. Chinese state-sponsored cyber espionage groups exploited more zero-days than other cyber espionage actors in 2022, which is consistent with previous years. We identified four zero-day vulnerabilities exploited by financially motivated threat actors. 75% of these instances appear to be linked to ransomware operations. Products from Microsoft |
Ransomware Vulnerability Threat | ★★★ | |
|
2023-03-16 11:00:00 | Fortinet Zero-Day et Custom Maleware utilisés par un acteur chinois suspecté dans l'opération d'espionnage Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation (lien direct) |
Les acteurs de la menace cyber-espionnage continuent de cibler les technologies qui ne prennent pas en charge les solutions de détection et de réponse (EDR) telles que les pare-feu, dispositifs IoT , hypervisors et VPN Technologies (par exemple Fortinet , Sonicwall , Pulse Secure et autres).Mandiant a enquêté sur des dizaines d'intrusions à Defense Industrial Base (DIB), le gouvernement, la technologie et les organisations de télécommunications au cours des années où les groupes de Chine-Nexus suspectés ont exploité des vulnérabilités zéro-jours et déployé des logiciels malveillants personnalisés pour voler des informations d'identification et maintenir un accès à long terme et déployéaux environnements victimes.
nous
Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments. We |
Malware Vulnerability Threat Industrial | ★★★ | |
|
2023-01-31 16:00:00 | Optimisez vos workflows avec le plug-in de navigateur de l'intelligence Mandiant Advantage Threat Intelligence Optimize Your Workflows with the Mandiant Advantage Threat Intelligence Browser Plug-in (lien direct) |
C'est un mardi matin et vous lisez les canaux de médias sociaux Infosec et que vous appuyez sur vos sites de recherche Intel de menace préférés.Vous tombez sur un CVE que vous ne connaissez pas.Normalement, vous sauterez sur le Web et rechercheriez le CVE ou ouvrez votre produit de sécurité préféré pour comprendre si c'est quelque chose de grave dont votre organisation devrait se soucier.Est-il activement exploité par de mauvais acteurs?Y a-t-il des exploits publiés publiquement?Quel est le risque pour mon organisation?
Et si vous pouviez voir tout cela et plus encore sans quitter la page Web?
le < Span>span>
It\'s a Tuesday morning and you are reading through infosec social media channels and hitting up your favorite threat intel research sites. You come upon a CVE that you are unfamiliar with. Normally, you would jump over to the web and search for the CVE or open up your preferred security product to understand if it is something serious your organization should care about. Is it being actively exploited by bad actors? Are there publicly published exploits? What is the risk to my organization? What if you could see all of this and more without leaving the web page? The Mandiant Advantage |
Threat | ★★★ | |
|
2023-01-26 15:00:00 | Bienvenue au Camp de Goot: suivi de l'évolution des opérations de gootloader Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations (lien direct) |
Depuis janvier 2021, la défense gérée mandiante a systématiquement répondu aux infections à gootloder.Les acteurs de la menace ont jeté un filet répandu lors de la propagation de Gootloader et ont un impact sur un large éventail de verticales et de régions géographiques de l'industrie.Nous n'attribuez actuellement que des logiciels malveillants et une infrastructure de Gootloader à un groupe que nous suivions en tant que UNC2565, et nous pensons qu'il est exclusif à ce groupe.
À partir de 2022, unc2565 a commencé à incorporer des modifications notables aux tactiques,Techniques et procédures (TTP) utilisées dans ses opérations.Ces modifications incluent l'utilisation de multiples variations du lanceur FonelaUnch
Since January 2021, Mandiant Managed Defense has consistently responded to GOOTLOADER infections. Threat actors cast a widespread net when spreading GOOTLOADER and impact a wide range of industry verticals and geographic regions. We currently only attribute GOOTLOADER malware and infrastructure to a group we track as UNC2565, and we believe it to be exclusive to this group. Beginning in 2022, UNC2565 began incorporating notable changes to the tactics, techniques, and procedures (TTPs) used in its operations. These changes include the use of multiple variations of the FONELAUNCH launcher |
Malware Threat | ★★★ | |
|
2023-01-19 15:00:00 | Des acteurs de menace chinois présumés exploitant la vulnérabilité de Fortios (CVE-2022-42475) Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) (lien direct) |
mandiant suit une campagne suspectée de China-Nexus qui aurait exploité une vulnérabilité récemment annoncée dans Fortios SSL-VPN de Fortinet \\, CVE-2022-42475, commeun jour zéro. Les preuves suggèrent que l'exploitation se produisait dès octobre 2022 et que les objectifs identifiés incluent une entité gouvernementale européenne et un fournisseur de services gérés situé en Afrique.
mandiant a identifié un nouveau malware que nous suivons comme "Boldmove" dans le cadre de notre enquête.Nous avons découvert une variante Windows de Boldmove et une variante Linux, qui est spécialement conçue pour fonctionner sur des pare-feu FortiGate.Nous
Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet\'s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa. Mandiant identified a new malware we are tracking as “BOLDMOVE” as part of our investigation. We have uncovered a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls. We |
Malware Vulnerability Threat | ★★★★ |
To see everything:
Our RSS (filtrered)
