Threat Intelligence Reports
Stealthy Tactics Define a Russian Cyber Threat Group
Read about the recently discovered HAMMERTOSS, a malware backdoor created by the Russian APT group APT29. Download the report to learn:
- How HAMMERTOSS works—the five stages, from looking for a Twitter handle to executing commands, including uploading victim’s data to cloud storage services
- Who APT29 is—their history, targets and methodology
- Why it’s difficult to detect HAMMERTOSS
Threat Intelligence on Advanced Attack Groups and Technology Vulnerabilities
FireEye regularly publishes threat intelligence reports that describe the members of advanced persistent threat (APT) groups, how they work, and how to recognize their tools, tactics, and procedures. Threat intelligence reports also cover vulnerabilities of specific business technologies, such as email, sandboxes, and mobile devices. With access to such details cyber security experts can build better defenses against these APT groups and advanced cyber attacks.
Threat intelligence on a Nigeria-based scam, including its targets, tactics, organization, expertise, techniques, tools, and most importantly, how you can protect yourself from losing thousands of dollars.
Threat intelligence on how the China-based APT17 group used Microsoft’s TechNet blog for its Command-and-Control (CnC) operation.
Threat intelligence on the APT30 group, which directed an extended cyber attack on government and commercial targets with critical political, economic, and military information.
Threat Intelligence: Attack Groups
- HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group Threat intelligence on the history, targets, and methodology of the Russian APT29 group that created the elusive malware backdoor HAMMERTOSS.
- An Inside Look: Into the World of Nigerian Scammers Threat intelligence on a Nigeria-based scam, including its targets, tactics, organization, expertise, techniques, tools, and most importantly, how you can protect yourself from losing thousands of dollars.
- APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic Threat intelligence on how the China-based APT17 group used Microsoft’s TechNet blog for its Command-and-Control (CnC) operation.
- APT30: The Mechanics Behind A Decade Long Cyber Espionage Operation Threat intelligence on the APT30 group, which directed an extended cyber attack on government and commercial targets with critical political, economic, and military information.
- APT1: Exposing One of China's Cyber Espionage Units Threat intelligence on the APT1 group, which has conducted a cyber espionage campaign against a broad range of victims since at least 2006.
- APT1: Digital Appendix and Indicators Threat intelligence with a list of more than 3,000 APT1 indicators, including domain names, IP addresses, X.509 encryption certificates and MD5 hashes of malware in APT1's arsenal of digital weapons.
- Behind the Syrian Conflict's Digital Front Lines This report highlights how Syrian opposition forces fell victim to a well-executed hacking operation targeting secret communications and plans.
- Hacking the Street? FIN4 Likely Playing the Market FIN4 group targets over 100 publicly traded companies and advisory boards. Find out the targeted industries, techniques used, and more.
- APT28 - a window into Russia's cyber espionage operations Report that uncovers how a Russian attack group targets insider information related to governments, militaries, and security organizations.
- Operation Saffron Rose Insight into multiple cyber-espionage operations against companies in the U.S. defense industrial base and Iranian dissidents
- Operation "Ke3chang": Targeted Attacks Against Ministries of Foreign Affairs Insight into how ministries of foreign affairs in Europe were targeted and compromised by a threat actor FireEye has dubbed “Ke3chang”
- Supply Chain Analysis: From Quartermaster to Sunshop Examination of 11 seemingly unrelated APT campaigns that, upon further investigation, reveal shared characteristics that suggest a common “supply-chain” infrastructure
Threat Intelligence: Technologies
- Windows Management Instrumentation (WMI) Offense, Defense, and Forensics An in-depth look at how the Windows Management Instrumentation (WMI) has been used by attackers and what network defenders can do to properly detect and respond to attacks that utilize WMI.
- Mobile Threat Report This report details several aspects of key mobile threats, covering targeted malware, adware and non-malicious apps with serious vulnerabilities.
- Hot Knives Through Butter: Evading File-based Sandboxes Overview of techniques used to evade off-the-shelf file-based sandboxes
- A Daily Grind: Filtering Java Vulnerabilities This report examines the inner workings of three commonly exploited Java vulnerabilities, their behaviors, and the infection flow of exploit kits that target them
- Investigating PowerShell Attacks This paper focuses on forensic analysis and discusses the Windows security controls intended to limit malicious usage of PowerShell, and the authors’ assumptions regarding an attacker’s level of access
- Digital Bread Crumbs: Seven Clues To Identifying Who's Behind Advanced Cyber Attacks Insight into what to look for to help identify attackers
- Leviathan: Command and Control Communications on Planet Earth This report analyzes first stage command and control (C2) malware callbacks from FireEye clients around the world
- Sidewinder Targeted Attack Against Android in the Golden Age of Ad Libraries A look at how the Sidewinder Targeted Attack allows threat actors to take over Android devices to track location, take photos, send texts, and more via the ads libraries Android apps are built on.
- DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry Insight into this popular cyber attack method and measures to take to ensure legitimate files are not exploited
- Brewing Up Trouble: Analyzing Four Widely Exploited Java Vulnerabilities Examination of the inner workings of the four most commonly exploited Java vulnerabilities
- The Little Malware That Could: Detecting and Defeating the China Chopper Web Shell Information on the features that make the China Chopper Web Shell a popular tool for cyber attackers and how to better detect it
- Poison Ivy: Assessing Damage and Extracting Intelligence Information on Poison Ivy, a RAT that is still being used, and Calamine, a set of free tools to detect Poison Ivy infections
- Top Words Used in Spear Phishing Attacks Insight into the nature of files used by cybercriminals to bypass traditional security defenses