Tag: Threat Intelligence
AI LLM Official Blog Threat Intelligence Nov. 18, 2024Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation - This blog post discusses how artificial intelligence (AI) and large language models (LLMs) can be used to enhance adversarial emulation and improve cybersecurity.
Official Blog Threat Intelligence Nov. 18, 2024Emerging Threats: Cybersecurity Forecast 2025 - The Cybersecurity Forecast 2025 report from Google Cloud provides insights into anticipated threats and cybersecurity trends for the coming year. It highlights the increasing use of AI by threat actors for sophisticated attacks, the potential impact of AI on information operations, and the continued prevalence of ransomware and multifaceted extortion.
Official Blog Threat Intelligence Nov. 11, 2024Flare-On 11 Challenge Solutions - The eleventh Flare-On challenge, a global cybersecurity competition, concluded with over 5,300 participants and only 275 completing all 10 stages. All challenge binaries and solutions are now available on the Flare-On website.
Official Blog Threat Intelligence Nov. 11, 2024(In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments - Mandiant Red Team discovered a novel way adversaries can move laterally and elevate privileges within Microsoft Entra ID when organizations use Intune-managed Privileged Access Workstations (PAWs) by abusing Intune permissions (DeviceManagementConfiguration.ReadWrite.All) granted to Entra ID service principals.
Official Blog Threat Intelligence Nov. 4, 2024Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives - Russian threat actors, likely operating as part of a hybrid espionage and influence campaign, have been targeting potential Ukrainian military recruits with malware and anti-mobilization narratives. The campaign, dubbed UNC5812, uses a Telegram persona called "Civil Defense" to deliver malware and spread anti-Ukrainian propaganda. The malware, delivered via a website and Telegram channel, includes commodity malware variants like SUNSPINNER, Pronsis Loader, PURESTEALER, and CRAXSRAT.
Official Blog Threat Intelligence Oct. 28, 2024Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) - In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances. The vulnerability, CVE-2024-47575, allows unauthorized threat actors to execute arbitrary code or commands against vulnerable FortiManager devices. Mandiant observed a new threat cluster, UNC5820, exploiting this vulnerability as early as June 27, 2024.
Official Blog Threat Intelligence Oct. 21, 2024How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends - In 2023, Mandiant analyzed 138 vulnerabilities that were exploited in the wild, with a striking 97 of them being zero-days. This indicates a significant increase in zero-day exploitation compared to previous years. The average time-to-exploit (TTE) dropped dramatically to just five days, highlighting the urgency for organizations to prioritize patching and implementing robust security measures. While exploit releases and media attention do not directly predict exploitation timelines, they should still be considered alongside other factors when assessing vulnerability risk.
Official Blog Threat Intelligence Oct. 7, 2024capa Explorer Web: A Web-Based Tool for Program Capability Analysis - capa Explorer Web is a web-based tool that allows users to interactively browse and display capa results in multiple viewing modes. It provides an intuitive and interactive way to visualize the capa analysis results, including rule matches, function capabilities, and process capabilities. Users can sort, search, and filter results, and view detailed information for each rule match. capa Explorer Web also integrates with VirusTotal, allowing users to explore capa results directly from VirusTotal.
Official Blog Threat Intelligence Sept. 30, 2024Staying a Step Ahead: Mitigating the DPRK IT Worker Threat - North Korea's IT workers pose a significant and growing cyber threat, targeting businesses globally for financial gain and state objectives. They use stolen identities, remote access tools, and sophisticated evasion tactics to gain employment and maintain access to corporate systems.
GCP Certification Official Blog Threat Intelligence Sept. 30, 2024Introduction to Threat Intelligence and Attribution course, now available on-demand - Google Threat Intelligence and Google Cloud Security have released an on-demand course called "Introduction to Threat Intelligence and Attribution." This six-hour, five-module course is designed for cybersecurity practitioners and covers topics such as the components of a threat group, exploring raw information to discover potential relationships, and recognizing threat actor behaviors.
Official Blog Threat Intelligence Sept. 23, 2024UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Official Blog Threat Intelligence Sept. 23, 2024An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader - UNC2970, a cyber espionage group suspected to have a North Korea nexus, targeted victims in the U.S. critical infrastructure sectors using a trojanized PDF reader. The group sent malicious ZIP archives containing a password-protected PDF and a modified version of SumatraPDF, a legitimate PDF viewer. This technique did not exploit a vulnerability in the original SumatraPDF source code.
Event Official Blog Threat Intelligence Sept. 16, 2024Announcing the 11th Annual Flare-On Challenge - The Flare-On Challenge is an annual reverse engineering contest held by the FLARE team. This year marks its 11th year running and will feature 10 challenges covering various architectures including Windows, Linux, JavaScript, .NET, YARA, UEFI, Verilog, and Web3. The contest will run for six weeks from September 27th to November 8th, 2024. Successful participants will receive a prize and have their names etched into the Hall of Fame on the Flare-On website.
Official Blog Threat Intelligence Sept. 16, 2024Protecting Multi-Cloud Resources in the Era of Modern Cloud-Based Cyberattacks - In the era of multi-cloud adoption, organizations face new security challenges due to expanded attack surfaces and complex permission structures. Mandiant's white paper explores critical risks and provides a framework for establishing a robust security posture in multi-cloud environments. The paper examines real-world attack scenarios and introduces a cloud-agnostic tiered security model to protect privileged access to critical assets.
Official Blog Threat Intelligence Sept. 16, 2024Insights on Cyber Threats Targeting Users and Enterprises in Mexico - Mexico faces a complex cyber threat landscape with global and local threats targeting critical sectors and exploiting digital infrastructure. Cyber espionage operations from multiple nations, including China, North Korea, and Russia, target users and organizations in Mexico.
Official Blog Threat Intelligence Web3 Sept. 9, 2024DeFied Expectations — Examining Web3 Heists - In the realm of Web3, where money flows, crime follows. This article delves into the escalating heists targeting decentralized finance (DeFi), surpassing traditional finance in both scale and frequency.
Official Blog Threat Intelligence Sept. 2, 2024A Measure of Motive: How Attackers Weaponize Digital Analytics Tools - To defend against these attacks, defenders should implement automated analysis around link shorteners, IP geolocation utilities, and CAPTCHA tools. They should also be cautious when clicking on ads or links in ads, double-checking the website address (URL) of the destination to make sure it matches the company or product in the ad and doesn't contain typos.
Official Blog Threat Intelligence Sept. 2, 2024I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation - Mandiant has uncovered an Iranian counterintelligence operation that targets Iranian dissidents, activists, and Farsi speakers. The operation uses fake social media accounts to spread a network of fake recruiting websites that collect personal information from users. The campaign has been active since at least 2017 and has targeted individuals in Iran, Syria, and Lebanon.
Official Blog Threat Intelligence Aug. 26, 2024PEAKLIGHT: Decoding the Stealthy Memory-Only Malware - PEAKLIGHT is a new memory-only dropper that uses a complex, multi-stage infection process. It decrypts and executes a PowerShell-based downloader that delivers malware-as-a-service infostealers.
Official Blog Threat Intelligence Aug. 19, 2024Hacking Beyond .com — Enumerating Private TLDs - The article discusses a new tool called tldfinder, developed in collaboration with ProjectDiscovery, for discovering TLDs (top-level domains), associated subdomains, and related domain names.
Official Blog Threat Intelligence Aug. 5, 2024UNC4393 Goes Gently into the SILENTNIGHT
Official Blog Threat Intelligence July 29, 2024APT45: North Korea’s Digital Military Machine - APT45 is a North Korean cyber operator that has been active since at least 2009. The group has carried out espionage campaigns, financially-motivated operations, and is suspected of developing ransomware. APT45 has targeted government agencies, defense industries, the financial sector, critical infrastructure, and healthcare and pharmaceutical companies. The group uses a mix of publicly available tools, modified malware, and custom malware families.
Official Blog Threat Intelligence July 29, 2024Whose Voice Is It Anyway? AI-Powered Voice Spoofing for Next-Gen Vishing Attacks - AI-powered voice cloning can now mimic human speech with uncanny precision, making phishing schemes more realistic. Attackers can use AI-powered voice cloning in various phases of the attack lifecycle, including initial access, lateral movement, and privilege escalation.
Official Blog Threat Intelligence July 22, 2024APT41 Has Arisen From the DUST
Gemini Official Blog Security Threat Intelligence July 22, 2024AI-Powered Learning: Your NIST NICE Prompt Library (Built with Google Gemini) - The NIST NICE framework provides a roadmap for cybersecurity education and workforce development. It maps roles to specific tasks, knowledge, and skills (TKSs) necessary for successful responsibilities. AI-powered prompts can help you navigate this roadmap and accelerate your mastery of the essential competencies outlined in the NICE framework.
Gemini Official Blog Threat Intelligence July 22, 2024Scaling Up Malware Analysis with Gemini 1.5 Flash - Google's Gemini 1.5 Flash model, designed for large-scale malware analysis, processes up to 1,000 requests per minute and 4 million tokens per minute. It analyzes decompiled binaries, providing accurate summary reports in human-readable language.
Security Threat Intelligence July 22, 2024Google Cloud Security Threat Horizons Report #10 Is Out!
Official Blog Threat Intelligence July 15, 2024Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO - NATO faces a barrage of malicious cyber activity from state-sponsored actors, hacktivists, and criminals. These threats include cyber espionage, disruptive and destructive cyberattacks, disinformation and information operations. The war in Ukraine has coincided with bolder and reckless cyber activity against NATO allies.
Official Blog Threat Intelligence July 1, 2024Global Revival of Hacktivism Requires Increased Vigilance from Defenders - Hacktivism has seen a resurgence since early 2022, with actors using more sophisticated tactics and targeting a wider range of organizations. This new wave of hacktivism is driven by various motivations, including geopolitical conflicts, financial gain, and anti-establishment ideologies.
Official Blog Threat Intelligence June 24, 2024Cloaked and Covert: Uncovering UNC3886 Espionage Operations
Official Blog Threat Intelligence June 17, 2024UNC3944 Targets SaaS Applications - UNC3944, a financially motivated threat group, has shifted its focus from credential harvesting and ransomware to data theft extortion without ransomware. They target SaaS applications and use social engineering techniques to gain initial access, often by impersonating IT support and requesting MFA resets. UNC3944 abuses Okta permissions to expand intrusion beyond on-premises infrastructure to cloud and SaaS applications. To mitigate these threats, organizations should implement host-based certificates with multi-factor authentication for VPN access, create stricter conditional access policies, and monitor SaaS applications for suspicious activity.
Official Blog Threat Intelligence June 17, 2024Insights on Cyber Threats Targeting Users and Enterprises in Brazil - Brazil faces a unique cyber threat landscape due to the interplay of global and local threats. Cyber espionage actors from various countries target Brazilian users and organizations, with PRC, North Korea, and Russia being the most prominent. Brazil also faces threats from domestic cybercriminals who engage in account takeovers, carding, fraud, and banking malware deployment. The rise of the Global South, with Brazil at the forefront, marks a shift in the geopolitical landscape that extends into the cyber realm, making Brazil an increasingly attractive target for cyber threats.
Official Blog Threat Intelligence June 17, 2024UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion - UNC5537, a financially motivated threat actor, has been targeting Snowflake customer database instances for data theft and extortion. The threat actor gains access to Snowflake customer instances using stolen customer credentials obtained from infostealer malware campaigns. UNC5537 has compromised multiple organizations' Snowflake instances, exfiltrated sensitive data, and attempted to extort the victims. The campaign highlights the importance of enforcing multi-factor authentication, rotating credentials regularly, and implementing network allow lists to protect against unauthorized access.
Official Blog Threat Intelligence June 10, 2024Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics - The 2024 Paris Olympics face an elevated risk of cyber threats, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations.
Official Blog Threat Intelligence June 10, 2024Official Blog Threat Intelligence May 27, 2024IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders - China-nexus cyber espionage actors are increasingly using ORB networks to conduct espionage operations, making it more difficult for defenders to detect and attribute attacks. ORB networks are made up of compromised devices, such as routers and IoT devices, that are used to relay traffic and obfuscate the source of attacks. This trend is challenging traditional defense strategies that rely on blocking adversary infrastructure, as ORB networks are constantly evolving and difficult to track.
Official Blog Threat Intelligence May 27, 2024Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets - Bitbucket Secured Variables can be leaked in your pipeline and expose you to security breaches. To protect your secrets, store them in a dedicated secrets manager, closely review Bitbucket artifact objects, and deploy code scanning throughout the full lifecycle of your pipeline.
Official Blog Security Threat Intelligence May 13, 2024Introducing Google Threat Intelligence: Actionable threat intelligence at Google scale
Official Blog Threat Intelligence May 6, 2024Uncharmed: Untangling Iran's APT42 Operations
Official Blog Threat Intelligence May 6, 2024Official Blog Threat Intelligence May 6, 2024From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis
Official Blog Threat Intelligence April 29, 2024Poll Vaulting: Cyber Threats to Global Elections - Elections globally are under fire from cyberattacks targeting not just voting systems but campaigns, media, and social media too. State actors pose the biggest threat, but others join in. Strong defenses and awareness of diverse attack methods are crucial to safeguard elections.
Official Blog Security Threat Intelligence April 29, 2024M-Trends 2024: Our View from the Frontlines - Mandiant's latest M-Trends report highlights a concerning trend: attackers are actively working to evade detection and stay on compromised systems longer. The report analyzes data from 2023, revealing a rise in tactics like targeting unmonitored devices, using zero-day exploits, and leveraging legitimate tools.
Official Blog Threat Intelligence April 29, 2024FakeNet-NG Levels Up: Introducing Interactive HTML-Based Output - FakeNet-NG is a network analysis tool used to capture network traffic and simulate network services to help researchers understand malware behavior. Recently, FakeNet-NG was updated to generate interactive HTML reports to present captured data in a more user-friendly way.
Official Blog Threat Intelligence April 22, 2024Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm
Official Blog Security Threat Intelligence April 8, 2024Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies - Mandiant has responded to incidents involving exploited Ivanti Connect Secure VPN appliances. This blog post outlines post-exploitation activity observed, including lateral movement and malware deployment. Mandiant recommends patching and following Ivanti's guidance to mitigate the vulnerabilities.
Official Blog Threat Intelligence April 1, 2024Trends on Zero-Days Exploited In-the-Wild in 2023
Official Blog Threat Intelligence April 1, 2024SeeSeeYouExec: Windows Session Hijacking via CcmExec - In this blog post, we delve into how the CcmExec service can be utilized for session hijacking and introduce CcmPwn, a tool designed to facilitate this technique.
Useful Links
Contact
Třebanická 183
Prague, Czech Republic
Phone: +420 777 283 075
Email: [email protected]