Portsuppe

IT news

5,431 items

Mandiant Blogolder04/04

Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies

Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persiste

cybersecurity · government-security · unknown-it-category-15
Mandiant Blogolder03/28

SeeSeeYouExec: Windows Session Hijacking via CcmExec

Written by: Andrew Oliveau Over the last several years, the security community has witnessed an uptick in System Center Configuration Manager (SCCM)-related attacks. From extracting network access account (NAA) credentials to deploying malicious applications to targeted devices, SCCM attacks have aided in accomplishing complex objectives and evading existing detections. Mandiant's Red Team has utilized SCCM technology to perform novel attacks against mature clients where conventional methodology

borderlinecybersecurity · government-security · unknown-it-category-15
Mandiant Blogolder03/28

Life After Death? IO Campaigns Linked to Notorious Russian Businessman Prigozhin Persist After His Political Downfall and Death

Written by: Alden Wahlstrom, David Mainor, Daniel Kapellmann Zafra In June 2023, Russian businessman Yevgeniy Prigozhin and his private military company (PMC) “Wagner” carried out an armed mutiny within Russia. The events triggered the meteoric political downfall of Prigozhin, raising questions about the future of his various enterprises that were only underscored when he died two months later under suspicious circumstances. Up to that point, Prigozhin and his enterprises worked to advance the K

borderlinecybersecurity · government-security · unknown-it-category-15
Mandiant Blogolder03/26

Trends on Zero-Days Exploited In-the-Wild in 2023

Written by: Maddie Stone, Jared Semrau, James Sadowski Combined data from Google’s Threat Analysis Group (TAG) and Mandiant shows 97 zero-day vulnerabilities were exploited in 2023; a big increase over the 62 zero-day vulnerabilities identified in 2022, but still less than 2021's peak of 106 zero-days. This finding comes from the first-ever joint zero-day report by TAG and Mandiant. The report highlights 2023 zero-day trends, with focus on two main categories of vulnerabilities. The first is end

cybersecurity · government-security · unknown-it-category-15
Mandiant Blogolder03/22

APT29 Uses WINELOADER to Target German Political Parties

Written by: Luke Jenkins, Dan Black Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting

cybersecurity · government-security · unknown-it-category-15
Mandiant Blogolder03/21

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Written by: Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is asse

cybersecurity · government-security · unknown-it-category-15
Mandiant Blogolder03/06

Delving into Dalvik: A Look Into DEX Files

Written by: Aseel Kayal During the analysis of a banking trojan sample targeting Android smartphones, Mandiant identified the repeated use of a string obfuscation mechanism throughout the application code. To fully analyze and understand the application's functionality, one possibility is to manually decode the strings in each obfuscated method encountered, which can be a time-consuming and repetitive process. Another possibility is to use paid tools such as JEB decompiler that allow quick ident

cybersecurity · government-security · unknown-it-category-15
Mandiant Blogolder02/27

When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors

Written by: Ofir Rozmann, Chen Evgi, Jonathan Leathery Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania. Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Is

borderlinecybersecurity · government-security · unknown-it-category-15
Mandiant Blogolder02/27

Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts

Written by: Matt Lin, Robert Wallace, Austin Larsen, Ryan Gandrud, Jacob Thompson, Ashley Pearson, Ashley Frazer Mandiant and Ivanti's investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Following the initial publication on Jan. 10, 2024, Mandiant observed mass attempts to exploit these vulnerabilities by a small number of China-nexus threat actors, and development of a mitigation by

cybersecurity · government-security · unknown-it-category-15
PrevPage 179 / 182Next