FireEye Blog

Threat Research, Analysis, and Mitigation

1589人订阅
ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field Introduction FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements (ICS Healthcheck) performed by Mandiant, FireEye's consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information was acquired from hands-on assessments carried out over the last few years across a broad range of industries, including manufacturing, mining, automotive, energy, chemical, natural gas, and utilities. In this post, we provide details of these risks, and indicate best practices and ...
2018 Flare-On Challenge Solutions We are pleased to announce the conclusion of the fifth annual Flare-On Challenge. The numbers are in and we can safely say that this was by far the most difficult challenge we’ve ever hosted. We plan to reduce the difficulty next year, so it may be that the 114 people who solved this year’s challenge solved not only the most difficult Flare-On to date, but the most difficult Flare-On there ever will be. The prize for these amazing and dedicated Reverse Engineers is a magic decoder buckle and coin insert. It can be used to decode and encode secret messages using a pre-shared k...
FLARE Script Series: Reverse Engineering WebAssembly Modules Using the idawasm IDA Pro Plugin Introduction This post continues the FireEye Labs Advanced Reverse Engineering (FLARE) script series. Here, we introduce idawasm, an IDA Pro plugin that provides a loader and processor modules for WebAssembly modules. idawasm works on all operating systems supported by IDA Pro, and can be obtained from the idawasm GitHub project. Motivation You may have competed in this year’s Flare-On challenge and reached the fifth level only to discover a new file format: a WebAssembly (“wasm”) module. In order to proceed, you had to reverse engineer the key check logic contained in this...
APT38: Details on New North Korean Regime-Backed Threat Group Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim networks inoperable following theft. More importantly, diplomatic efforts, including the recent Department of Justice (DOJ) complaint that outlined attribution to North Korea, have thus far failed to put an end to their activity. We are calling this group APT38. We are releasing a spec...
Increased Use of a Delphi Packer to Evade Malware Classification Introduction The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools. Evasion of classification and detection is an arms race in which new techniques are traded and used in the wild. For example, we observe many crypting services being offered in underground forums by actors who claim to make any malware "FUD" or "Fully Undetectable" by anti-virus technologies, sandboxes and other endpoint solutions. We also see an increased effort to model normal user activity ...
Click It Up: Targeting Local Government Payment Portals FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement confirming suspicious activity had affected a small number of customers. In mid-June 2018, numerous media reports referenced at least se...