Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Executive Summary
Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.
This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse...
Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure
High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology (OT). However, there is a continued perception across critical infrastructure organizations that...
M-Trends 2021: A View From the Front Lines
We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination of...
A deep dive into Saint Bot, a new downloader
Saint Bot is a downloader that has been used to drop stealers. We take a deep look at it and its accompanying panel.
This post was authored by Hasherezade...
Aurora campaign: Attacking Azerbaijan using multiple RATs
We identified a new Python-based RAT targeting Azerbaijan from the same threat actor we profiled a month ago.
This post was authored by Hossein Jazi
As tensions between Azerbaijan and...
Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
In this blog post we will describe:
How attackers use the Background Intelligent Transfer Service (BITS)
Forensic techniques for detecting attacker activity with data format specifications
Public release of the BitsParser tool
A...
New steganography attack targets Azerbaijan
A lure document targeting Azerbaijan uses steganography to conceal a remote administration Trojan.
This blog post was authored by Hossein Jazi
Threat actors often vary their techniques to thwart security...
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
Executive Summary
In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository.
SUNSHUTTLE is a second-stage backdoor written in GoLang that...
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web...
Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory
Continuing our discussion of image parsing vulnerabilities in Windows, we take a look at a comparatively less popular vulnerability class: uninitialized memory. In this post, we will look at...