Global attacker median dwell time continues to fall
The global attacker median dwell time continued trending downwards in 2023, and is now 10 days (from 16 days in the previous year).
Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm
APT44 is a threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations.
Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’
US officials and allies have warned about attacks from XakNet and related groups.
Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’
US officials and allies have warned about attacks from XakNet and related groups.
Google: Spyware vendors behind 50% of zero-days exploited in 2023
Google's Threat Analysis Group (TAG) and Google subsidiary Mandiant said they've observed a significant increase in the number of zero-day vulnerabilities exploited in attacks in 2023, many of them linked to spyware vendors and their clients.
APT29 Uses WINELOADER to Target German Political Parties | Mandiant
APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties.
Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’
US officials and allies have warned about attacks from XakNet and related groups.
Evolution of UNC4990: Uncovering USB Malware's Hidden Depths
UNC4990 uses USB devices for initial infection, and is likely motivated by financial gain.
Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’
US officials and allies have warned about attacks from XakNet and related groups.
Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’
US officials and allies have warned about attacks from XakNet and related groups.
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
This ICS/OT attack represents the latest evolution in Russia's cyber physical attack capability.
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
UNC4841 has continued operations despite Barracuda ESG zero-day remediation efforts.
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection | Mandiant
Ways Chinese cyber espionage activity has increasingly leveraged strategies to evade detection.
The Spies Who Loved You: Infected USB Drives to Steal Secrets
In the first half of 2023, we observed a threefold increase in the number of attacks using infected USB drives to steal secrets.
VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors
Additional techniques UNC3886 utilized across multiple organizations to evade EDR solutions.
Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’
US officials and allies have warned about attacks from XakNet and related groups.
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
Mandiant is investigating a Barracuda ESG appliance zero-day vulnerability being exploited in the wild.
Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft
Analysis of a zero-day vulnerability in MOVEit Transfer, and containment and hardening guidance.
COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises | Mandiant
Mandiant identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track as COSMICENERGY, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
Don't @ Me: URL Obfuscation Through Schema Abuse
Attackers are distributing malware using a technique that abuses the URL schema.
SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack
Attacker activity in Microsoft Azure that we attribute to a financially motivated threat actor.
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
A software supply chain attack led to another software supply chain attack.
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access
A ransomware affiliate is targeting publicly exposed Veritas installations to gain access to organizations.
Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
- Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020. * Chinese state-sponsored cyber espionage groups exploited more zero-days than other cyber espionage actors in 2022, which is consistent with previous years. * We identified four zero-day vulnerabilities exploited by financially motivated threat actors. 75% of these instances appear to be linked to ransomware operations. * Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6).
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
A suspected Chinese actor used a zero-day vulnerability in FortiOS and custom malware for espionage.
Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations
We have been seeing notable changes to TTPs used in GOOTLOADER operations since 2022.
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
A new variant of the URSNIF malware, first observed in June 2022, marks an important milestone for the tool. Unlike previous iterations of URSNIF, this new variant, dubbed LDR4, is not a banker, but a generic backdoor (similar to the short-lived SAIGON variant), which may have been purposely built to enable operations like ransomware and data theft extortion. This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.
The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform
Bad actors are using a shared Phishing-as-a-Service platform called “Caffeine”.
Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors | Mandiant
Earlier this year, Mandiant identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions: 1) Maintain persistent administrative access to the hypervisor 2) Send commands to the hypervisor that will be routed to the guest VM for execution 3) Transfer files between the ESXi hypervisor and guest machines running beneath it 4) Tamper with logging services on the hypervisor
Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying
For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice.