Executive Summary
In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure.
This is the first time we…
Read More
Author: Mandiant
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed …
📉 Exploit kit (EK) use has declined since late 2016, but some activity persists.
🌏 The Magnitude Exploit Kit remains active, especially in the APAC region.
🔄 The first reappearance…
Read More
Security professionals are often overwhelmed by the number of management consoles or platforms they need to jump between on any given day. Automating and sharing information into existing workflows can …
Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) …
Mandiant and Ivanti’s investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Following the initial publication on Jan. 10, …
capa is the FLARE team’s open source tool that detects capabilities in executable files. Ghidra is an open source software reverse engineering framework created and maintained by the National Security Agency …
Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on susceptible devices. That’s according to …
On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and Ivanti Policy Secure (PS) appliances. On …
Mandiant Managed Defense has been tracking UNC4990, an actor who heavily uses USB devices for initial infection. UNC4990 primarily targets users based in Italy and is likely motivated by financial gain. …
Update (Jan. 31): We released a follow-up blog post containing additional details from our investigations into this threat, along with more recommendations for defenders.
Note: This is a developing campaign …
Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with …
In late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber …
Key Insights
APT29’s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive, pointing to the SVR’s central role in collecting…
Read More
On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we …
Artificial intelligence (AI) and large language models (LLMs) can help threat intelligence teams to detect and understand novel threats at scale, reduce burnout-inducing toil, and grow their existing talent by …
Mandiant recently published a blog post about the compromise of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Appliances related to the zero-day vulnerability tracked as CVE-2023-3519. CVE-2023-3519 is …
In July 2023, Mandiant Consulting responded to a supply chain compromise affecting a US-based software solutions entity. We believe the compromise ultimately began as a result of a sophisticated spear …
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of …
On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they …
Imagine you are a homeowner who wants to protect your valuable assets against theft. Vulnerability management is like installing a security system in your home. If someone tries to break …
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access | Mandiant
Mandiant has observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, target publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878, for initial access …
Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded …
Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, …
In part one on North Korea’s UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we …
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed …
Executive Summary
Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack.
Threat…
Read More
Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and …
There’s a common saying in cyber security, “you can’t protect what you don’t know,” and this applies perfectly to the attack surface of any given organization.
Many organizations have hidden …
In 2021, the global median dwell time—the number of days an attacker is on a victim system before being detected—was 21 days. While security teams have come a long way …
As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not …
In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked …
Beginning with macOS 10.12 (Sierra), Apple introduced a key change to how logging was done on their systems. This new logging system replaced common Unix logs with macOS Unified Logs. …