Written by: Nick Harbour The eleventh Flare-On challenge is now over! This year proved to be a tough challenge for the over 5,300 players, with only 275 completing all 10 stages. We had a blast making this contest and are…
Tag: Threat Intelligence
(In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments
Written by: Thibault Van Geluwe de Berlaere, Karl Madden, Corné de Jong < div class=”block-paragraph_advanced”>The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved…
Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives
In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named “Civil Defense”. “Civil Defense”…
Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)
Written by: Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed, Jared Wilson < div class=”block-paragraph_advanced”> Summary In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in…
How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends
Written by: Casey Charrier, Robert Weiner < div class=”block-paragraph_advanced”>Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days…
capa Explorer Web: A Web-Based Tool for Program Capability Analysis
Written by: Soufiane Fariss, Willi Ballenthin, Mike Hunhoff, Genwei Jiang, Tina Johnson, Moritz Raabe capa, developed by Mandiant’s FLARE team, is a reverse engineering tool that automates the identification of program capabilities. In this blog post we introduce capa Explorer…
LummaC2: Obfuscation Through Indirect Control Flow
Written by: Nino Isakovic, Chuong Dong Overview This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the…
Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
Written by: Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, Alice Revelli Strategic Overview of IT Workers Since 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People’s Republic of North Korea…
UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Written by: Stav Shulman, Matan Mimran, Sarah Bock, Mark Lechtik < div class=”block-paragraph_advanced”> Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature…
An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
Written by: Marco Galli, Diana Ion, Yash Gupta, Adrian Hernandez, Ana Martinez Gomez, Jon Daniels, Christopher Gardner < div class=”block-paragraph_advanced”> Introduction In June 2024, Mandiant Managed Defense identified a cyber espionage group suspected to have a North Korea nexus, tracked…