State of the Hack

If you are here looking for State of the Hack, we invite you to visit the feed of Mandiant’s new podcast, The Defender’s Advantage Podcast: https://www.buzzsprout.com/1762840 The new show launches this week with the same great content you've come to expect from us and even more.Host Luke McNamara anchors our Threat Trends series, chatting with Mandiant intel analysts, consultants, and researchers, as well as external practitioners and leaders in cyber security, all through a threat-focused lens.  And Mandiant's Kerry Matre joins to host monthly conversations with Mandiant customers and industry experts who will share their experiences and stories from the frontline of cyber security as part of our new Frontline Stories series.Stay tuned for our inaugural Threat Trends episode later this week.

Zero Days got you down? There sure has been a lot of high impact zero days impacting edge appliances in 2021, from Microsoft Exchange, Pulse Secure, and SonicWall. In this episode, we're joined by Josh Fleischer, the Managed Defense investigator who uncovered three zero days in SonicWall Email Security, to discuss detection and investigation of a zero day, as well as what vendors and customers can do to better to prepare for zero day attacks.

In today's threat landscape, data theft and extortion go hand in handwith ransomware. In this episode of State of the Hack, we'll talkabout how data theft plays a role in modern day ransomware incidents,how attackers carry out data theft, and how we simulate data theftduring our Red Team assessments so clients can test their detectivecapabilities.

An oft-undiscussed tactic, web shells are a popular way for threatactors of all flavors to gain initial footholds, move laterally, andmaintain persistence in a stealthy manner. Austin and Doug discuss apopular exploit that has been observed in the wild leading to webshells and what infosec practitioners can do to protect against thisclass of malware.

This episode discusses the idea of operational security ("OPSEC") froman attacker's perspective. OPSEC relates to how an attacker or redteam might try to make their activities stealthier to avoid detection.During this episode, Evan Pena and Julian Pileggi talk about thevarious ways the Mandiant Red Team carries out their operationalsecurity during an adversary simulation exercise, and interestingtechniques they see attackers using that have a high level ofoperational security.

Join us for our holiday episode as we search for silver bells andsilver linings in our move to The Cloud! The cast sits down withDirk-Jan Mollema to talk Azure AD and Primary Refresh Tokens; and whatsavvy defenders can do to secure their own cloud credentials.

Malicious Office document’s module streams that contain source code,but no P-code are more likely to evade YARA rules and AV detection.This evasion technique is called VBA purging; which is different thanthe observed VBA stomping technique. In this episode we will discusswhat VBA purging is, the difference between purging and stomping, theconsequences of this technique, and a new tool created by Mandiant’sRed Team called OfficePurge.

State of the Hack is back! Featuring new hosts Doug Bienstock(@doughsec), Austin Baker (@bakedsec), Julian Pileggi (@x64_Julian),and Evan Pena (@evan_pena2003) and new content. Doug and Austin kickthings off and dive into a recent flood of phishing campaignsassociated with KEGTAP aka BazaaLoader. They discuss some interestingtoolmarks of the KEGTAP attack chain and why it is so dangerous.

On today's show, Nick Carr and Christopher Glyer break down theanatomy of a really cool pre-attack technique - tracking pixels - andhow it can inform more restrictive & evasive payloads in the nextstage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) toexplore one such evasive method seen in-the-wild: Macro Stomping. Andwe close the show by deep-diving with Matt Bromiley (@_bromiley) oncritical vulnerability we've been responding to most in 2020 - andwhat we've seen several attackers do post-compromise.Just as a targeted intruder might, we start our operation with emailtracking pixels. We break down how these legitimate marketing toolsare leveraged by attackers looking to learn more about their plannedvictim's behavior and system - prior to sending any first stagemalware.We break down the different variations on these trackers for bothbenign and malicious uses. For examples of each style of trackingpixel, see Glyer's recent tweet thread(https://twitter.com/cglyer/status/1222255759687372801). We talkthrough additional red team operators' responses to how they use thistechnique in their campaigns today - discussion sparked from thisgreat offensive security discussion(https://twitter.com/malcomvetter/status/1222539003565694985). Thistrend of professional target profiling - drawing both inspiration andspecific tracking tools from the marketing industry - is highlyeffective and a trend we expect to continue.Next on the episode, we explain how document profiling accomplishesthe same end goal as email pixels - and how it can share informationabout the current version of Microsoft Office on the potentialvictim's system. Similar to execution guardrails, this Office versioninformation for Microsoft Word or Excel could be used to delivermalware that is highly evasive and only runs on that profile.We also pivot into some potential use cases for fingerprinting Officeversions. We discuss VBA macro stomping and file format intricaciesthat require attackers to understand the version of office a targetmay be using, in order to create evasive spear phishing lures that maybypass both static and dynamic detections. Rick Cole joins us to talkthrough an active attacker using macro stomping for evasion - bothp-code compiling and PROJECT stream manipulation. Rick walks through abrief overview of the technique and a particular financial threatactor who loves macro stomping as much as they love Onyx. Rickco-authored a blog on the topic(https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html) and has an excellent tweet threadlinking to other research(https://twitter.com/a_tweeter_user/status/1225062617632428033).Finally, we're joined by a surprise second guest! Matt Bromiley dropsin to discuss FireEye's efforts to respond to the critical Citrixvulnerability, CVE-2019-19781, that went public on January 10, 2020.Matt helps us break down some of the activity we've seen since then,including distinct uncategorized clusters of activity for NOTROBIN,coin-mining, and attempted ETERNALBLUE-laced ransomware.In addition to securing his customers in Managed Defense, Matt's beenworking with the team to release several blogs, defender tips, andtools on the vulnerability:• Matt and Nick published an initial blog on the topic – detailingexploit timelines, evasive attackers, and resilient approaches todetection(https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBINand the concept of exploit squatter's rights in the blog with thetitl

In response to increased U.S.-Iran tensions stemming from the recentdeath of Quds Force leader Qasem Soleimani by U.S. forces and concernsof potential retaliatory cyber attacks, we're bringing the latest fromour front-line experts on all things Iran. Christopher Glyer and NickCarr are joined by Sarah Jones (@sj94356) and Andrew Thompson(@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups -including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as thefreshest actionable information on suspected Iranian uncategorized(UNC) groups that are active right now.We get right into it with a picture of Iranian compromise activityfrom just a few years ago - what we observed and the basic,cookie-cutter approach to their intrusions - and then begin to walkthrough the stark contrast to their TTPs today. We discuss how and whytheir Computer Network Operations (CNO) has evolved quickly andprovide a detailed walk through all of the graduated Iranian APTgroups.Our experts share their experiences with each group, moments in timethat surprised or impressed us from Iranian threat actors, and notableshifts in behavior - as well as our standing questions. Iranianintrusion operators have come a long way from DDoS & defacement, basicscanning, Cain & Abel and ASPXspy... to DNS hijacking, socialengineering via LinkedIn, information operations, and backdoors likeQUADAGENT, SANDSPY, TANKSHELL - then filling in the gaps with thequick adoption of offensive security post-compromise tools andtechniques.We close this first episode of season 3 with an overview of actionablemitigations to secure against both Iranian intrusions and severalother threats, including disruptive and destructive ransomwareattacks. For more information on these mitigations as well as ourpublic source material supporting the discussion from the show, pleasecheck out:• APT33 graduation:https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.htmlhttps://www.brighttalk.com/webcast/10703/275683• APT33 webinar & examples:https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html• An example TEMP.Zagros phishing campaign:https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html• APT35 highlights in MTrends 2018:https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf• Iranian information operations:https://www.fireeye.com/blog/threat-research/2018/08/suspected-iranian-influence-operation.html• RULER home page usage by Iranian groups & mitigations:https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html• APT39 graduation:https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html• Iranian DNS Hijacking (DNSpionage):https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html• More Iranian influence operations:https://www.fireeye.com/blog/threat-research/2019/05/social-media-network-impersonates-us-political-candidates-supports-iranian-interests.html• APT34 social engineering via LinkedIn:http://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html• FireEye response to mounting U.S.-Iran tensions:https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-response-to-mounting-us-iran-tensions.html• U.S.-Iran tensions webinar & mitigations overview:https://www.brighttalk.com/webcast/7451/382779

Ho ho homepage! Christopher Glyer and Nick Carr are back for the lastepisode of 2019. They’re closing the year with a look at this month’sfront-line espionage activity and a whole bunch of FIN intrusions! Inaddition to the threat round-up, they highlight some of our Mandiantconsultants doing that work and a few DFIR tricks they included in arecent blog:https://www.fireeye.com/blog/threat-research/2019/12/tips-and-tricks-to-analyze-data-with-microsoft-excel.html. As a special bonus, Santadropped off a slide clicker for the show so Nick and Christopherdecide to go deep on their recent presentation at #CYBERWARCON on “redsourcing.” An episode sure to make them friends on infosec twitter forsure! The presentation was a 10 minute #threatintel lightning talk,but embracing the Christmas spirit, the gang tries to navigate asensitive area of current debate by spending more time on red sourcing& providing some evidence and observations on APT groups moving topublicly released post-compromise tooling; some potential motivations;and then question whether any tool can ever be fully controlled (e.g.Delpy/MIMIKATZ evil maid scenario, recent Turla coopting APT34 access& tools). Because RULER.HOMEPAGE was touched on in the talk, theyexpand a bit further on this and highlight the recent blog that Nickco-authored on how attackers (like UNC1194) can conduct intrusionsfrom just a single registry key. They also question whether thetechnique’s usage via Outlook installed Office 365’s Click-to-Run istechnically CVE-2017-11774 or not. I guess we need another episodewith MSRC! They end the year with some spicy predictions for 2020.You’ll see. Thanks for watching and listening this year!This episode was sponsored by bad decisions and office holiday parties- and especially both.

Christopher Glyer and Nick Carr are back with an extremely offensiveepisode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson(@EriksocSecurity). They get right into why they use shellcode (anypiece of self-contained executable code) and some of the latestshellcode execution & injection techniques that are workingin-the-wild.In previous episodes, the gang has discussed attackers - bothauthorized and unauthorized - shift away from PowerShell andscripting-based tooling to C# and shellcode due to improvedvisibility, detection, and prevention provided by more logging, AMSI,and endpoint security tooling. In this episode, they explore howFireEye's Mandiant Red Team has responded to this pressure and thetechniques they've used to continue to operate.Casey and Evan share their research around the benefits & drawbacks ofthe three primary techniques for running shellcode and a project theyjust released - DueDLLigence - to enable conversion of any shellcodeinto flexible DLLs for sideloading or LOLbin'ing:https://github.com/fireeye/DueDLLigenceIf you want to learn more, check out their blog and #DailyToolDrop at:https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.htmlShellabrate good times come on!

Christopher Glyer and Nick Carr sit down with the top two Steves fromAdvanced Practices: Steve Stone (@stonepwn3000) and Steve Miller(@stvemillertime) to talk about the front-line technical stories andresearch presented at the 2019 #FireEyeSummit.With team members embedded on every investigation, they dissect thekey takeaways from the past year’s responses and trends in trackingthe groups and techniques that matter. They cover thebehind-the-scenes of recent FIN7 events* and put that in perspectiveagainst Steve’s PDB research** and other research presented at thesummit, including talks from Advanced Practices team members onproactive identification of C2, deep code signing research, and richheader hunting at scale. We quickly highlight a favorite talk “Livingoff the Orchard”*** revealing TTPs and artifacts left behind from themillion mac engagement. There’s double the chance you’ll enjoy Steveas a guest – and we were pleased to finally have them on.NOTE: Glyer live-tweeted the technical track**** throughout the summituntil additional blogs and videos are expected to release.*https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html**https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html***https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html**** https://twitter.com/cglyer/status/1181978827028873221

Christopher Glyer and Nick Carr interview Matt Berninger (@secbern)about his journey from Incident Responder to Data Scientist and howthat has shaped his perspective on ML applications and issues in theindustry today.This discussion provides a brief overview of Data Science fundamentalsand how they apply to common cybersecurity problems. They also discusshow to navigate the deluge of ML marketing and what considerations tomake before including ML in your security stack. Finally, they diveinto some recent Data Science projects and explain how the FireEyeData Science team works with practitioners around the company to solvecomplex problems.

Christopher Glyer and Nick Carr interview Dave Kennedy (@HackingDave)on his experience running DerbyCon over the years, what conferences heplans to attend next, and future plans to build and support DerbyConCommunities (DerbyCom). Red teaming in the last few years has startedto get harder due to improvements in security visibility, improvedsecurity tools, and better SOC teams. They discussed how Dave's redteam's @TrustedSec use security tools to baseline what their activitylooks like so they can try and blend in with legitimate activity. Thetrend of red teams shifting away from PowerShell to C-basedtools/backdoors. Finally, they discussed both new and old (but stilleffective) techniques recently seen in the wild that can evadedetection including using py2exe and pyinstaller basedbackdoors/tools.

Christopher Glyer and Nick Carr interview Nate Warfield (@n0x08) onhis experience working at Microsoft's Security Response Center (MSRC).They discuss how Nate's team manages the vulnerability reporting andfix/remediation process across Microsoft's range of products/services.And debated what makes the BlueKeep and DejaBlue vulnerabilitiesdifferent from previous vulnerabilities and why this particular set ofvulns took so long to have public exploit code available. Nate alsoshared his first-hand experience with responding to the Shadow Brokersrelease of exploits and thoughts on the release of the WannaCry worm.

In this episode, Christopher Glyer and Nick Carr interview theDarkoperator (@Carlos_Perez) and Benjamin Delpy (@gentilkiwi) on allthings related to Mimikatz and Kekeo. They discuss Carlos' new classon Mimikatz, the background on why he started it, how red teamers canuse the features in unique/creative ways, and how blue teamers candetect the activity. Benjamin shared the background on how hedeveloped the tools (hint - he didn't read the kerberos RFC), some ofits lesser known capabilities, like cloning near field communication(NFC) proximity badges, how kerberos golden tickets got their default10 year lifetime, why you only really need to set the expiration to 20minutes, and his "creative" documentation (e.g. animated GIF posted toTwitter).

This is our APT group graduation party for APT41: Double Dragon,conducting both Chinese state-sponsored espionage activity andpersonal financially-motivated activity. You've read the report* andon this episode, Christopher Glyer and Nick Carr go behind-the-sceneswith two technical experts, Jackie O'Leary and Ray Leong, who workedfor months to produce the report. We answer viewer questions anddiscuss sifting years of incident response data, peppered with Glyer'sIR war stories, and fascinating malware and techniques analyzed by ourreverse engineers in FLARE. Ray and Jackie share their experienceswith the threat group and challenges in the graduation process. Wecover what makes them sophisticated and deep-dive on their supplychain attacks & guardrails, passive & cross-platform backdoors,rootkits & bootkits, legit services usage, and third party access viaTeamViewer.

We are kicking-off a new segment on State of the Hack - an audio-onlydeep dive discussion with authors from popular technical blogs. Onthis episode, Christopher Glyer and Nick Carr spoke with FireEye'sBlaine Stancill (@MalwareMechanic) and Omar Sardar (@osardar1) ontheir recent blog post, "Finding Evil in Windows 10 CompressedMemory." You can read the full post here: https://feye.io/33dzIQD

We interviewed one of our most tenured analysts Barry Vengerik(@barryv) on a range of viewer requested topics including: FIN7retrospective, recent surge of Iranian threat activity, APT34targeting organizations via LinkedIn messaging, FSB contractor leaks,APT36 USB drop attacks and some tails of recent investigationsinvolving insider threats.This episode brought to you by Combi Security: "Creative Red Teamingwith Flexible payment options"