Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell...
SUNBURST Additional Technical Details
FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers...
Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being tracked as UNC2452. In some, but not all, of the intrusions associated with this...
Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory
Continuing our discussion of image parsing vulnerabilities in Windows, we take a look at a comparatively less popular vulnerability class: uninitialized memory. In this post, we will look at...
In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover — CVE-2020-14871
FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer’s system and analyzed it to see...
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
Executive Summary
In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository.
SUNSHUTTLE is a second-stage backdoor written in GoLang that...
Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
In this blog post we will describe:
How attackers use the Background Intelligent Transfer Service (BITS)
Forensic techniques for detecting attacker activity with data format specifications
Public release of the BitsParser tool
A...
Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine
Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new...
Unauthorized Access of FireEye Red Team Tools
Overview
A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to...
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Mandiant Advanced Practices (AP) closely tracks the shifting tactics, techniques, and procedures (TTPs) of financially motivated groups who severely disrupt organizations with ransomware. In May 2020, FireEye released a...
