Archive for Mandiant

Mandiant Discovers Pro Chinese Information Operations Campaign

Posted in Commentary with tags on August 4, 2022 by itnerd

Mandiant today has released their findings on an ongoing Pro-PRC IO campaign leveraging infrastructure from a Chinese PR firm to spread content to inauthentic news sites. Mandiant identified at least 72 suspected sites and a number of suspected social media assets which disseminate content strategically aligned with the political interests of the People’s Republic of China (PRC). The sites present themselves primarily as independent news outlets from different regions across the world, publishing content in 11 languages. The sites are believed to be linked to Shanghai Haixun Technology Co., Ltd, a Chine PR firm.

Chris Olson, CEO of The Media Trust had this comment:

     “By now it’s widely recognized that the Web is a dangerous tool for spreading propaganda, manipulating elections and changing public opinion – but we rarely recognize how deep the problem goes. Aside from creating fake websites to spread their message, foreign adversaries regularly leverage otherwise legitimate news platforms to spread their stories in the U.S and around the world.

With the help of third-party code – which includes promoted content features and programmatic advertising – nation-state actors can reach consumers across social media and entertainment sites, mobile apps, news platforms and more. Until publishers, developers and legislators commit to defending our digital borders – not just our physical ones – misinformation and propaganda will continue to spread unchecked.”

This really underscores the line “don’t believe everything that you read”. But you can buy into the Mandiant report and it is very much worth reading as the detail level of this campaign is excellent and will give you a great view into how this campaign works.

2021 Accounted For 40% Of Zero-Days In The Last Decade

Posted in Commentary with tags , on April 23, 2022 by itnerd

Researchers with Mandiant have released findings on 80 zero-days exploited “in the wild”, a surge in verified zero-day exploits over the course of the last year. Additionally, Google’s Project Zero said Tuesday that they tracked 58 cases of zero-day exploits in the wild last year. 2021 accounted for 40% of zero-day attacks undertaken in the last decade. That’s massive explosion of zero-days which means that users are less safe as a result.

I have two comments from industry experts. The first is from Saumitra Das, CTO and Cofounder, Blue Hexagon:

“Zero-day exploits and variants of malware that go after them have been on consistent rise as attackers invest in automation and research. Many of the zero-days discovered in old software like print spooler (print nightmare) are being discovered by overseas research teams. These can then be weaponized at scale and quickly by attackers using mutated malware to get in. In many cases, attacker use an existing foothold and simply try out a new POC at a victim.”

The second comment is from Chris Olson, CEO, The Media Trust:

“Not only is the number of zero-day attacks rising, but malicious actors are exploiting them faster than ever before. In December, Chinese actors were targeting the Log4Shell vulnerability only hours after its initial disclosure. With the cybersecurity landscape dominated by increasingly sophisticated threat actors, we can expect the incidence of zero days to rise in 2022, especially with heightened political tensions around the world.”

“In response, organizations should be particularly vigilant against underemphasized attack surfaces such as websites and mobile apps if they want to protect their customers. Based on our observations, we expect a rise in attacks based on polymorphic and obfuscated code, rapid URL shifting and other advanced techniques to deliver ransomware and other malicious executables.”

Zero-days are now the new normal, which means that organizations need to hunt down these threats make sure your ensure their defences are on point. Because the bad guys are out there hunting for zero-days that they can exploit. Which means that you are under threat as a result.

Mandiant Uncovers Threat Actors Known As FIN7

Posted in Commentary with tags on April 6, 2022 by itnerd

Mandiant research has disclosed a threat actor group known as FIN7 which has leveraged multiple methods of initial and secondary access into victim networks including phishing, compromising third-party systems, RDP and more to target software, consulting, cloud services and medical equipment organizations. The activity following FIN7 as well as the technical overlaps suggest FIN7 actors have been associated with various ransomware operations over time.

Yaron Kassner, CTO and Cofounder, Silverfort had this comment on the Mandiant research:

“According to Mandiant’s report Fin7 were using Kerberoasting, a method to break service account passwords. They were also stealing credentials to move laterally with RDP and SSH. These are common methods used in cyber-attacks because they are simple ways to gain access to additional systems and these interfaces aren’t always protected with MFA. Organizations should monitor authentication traffic to detect these techniques. They should also use MFA for human accounts, and virtual fencing for service accounts, to make sure the attacker doesn’t get beyond the initial point of access.”

Besides using MFA, passwordless authentication options should be considered as well. Many vendors either have these solutions already in the marketplace, or they are coming to market to respond to threat actors like FIN7.

1 in 7 Ransomware Attacks Leak Critical OT Info: Mandiant

Posted in Commentary with tags , on February 1, 2022 by itnerd

Mandiant Threat Reporting research has recently disclosed 1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information. In 2021, Mandiant Threat Intelligence observed ransomware operators extorting thousands of victims by disclosing terabytes of stolen info on shaming sites. This trend, called “Multifaceted Extortion” impacted over 1,300 organizations from critical infrastructure and industrial production sectors in just one year:

Based on our analysis, one out of every seven leaks from industrial organizations posted in ransomware extortion sites is likely to expose sensitive OT documentation. Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks. On top of this, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations.

That in effect implies that the attack surface that an enterprise would have to protect is huge. And I’m not the only one who thinks so. Sam Jones, VP of Product Management, Stellar Cyber:

“The reality of today’s enterprises is that data is everywhere. It is on the computer, it is in SaaS apps, it is in homegrown apps, and it is likely now on employee personal computing assets. Unless a holistic data protection plan is in place, and an enterprise is detecting across all forms of the attack surface, this will likely be a worsening problem for most enterprises.”

I’d encourage enterprises of all sizes to read this report. Then they should consider how best to defend themselves. Be it using software, hardware, policies, or whatever is needed to get the job done.

UPDATE: Sanjay Raja, VP of Products and Solutions for Gurucul added this comment:

“The Mandiant report highlights how ransomware isn’t a ‘one-and-done’ attack campaign. While ransomware is seemingly focused on getting paid to unlock your sensitive data, threat actors often return multiple times once they are successful at an attack, knowing the victim has paid once. We also knew they often replicate the data for themselves for sale even as they lock organizations out of their own data. However, this additional extortion through threats of posting the already stolen data is another example of how threat actors find ways to extract more out of their victims. It feels like a never-ending cycle for targeted organizations. This reinforces the need to evaluate newer and more advanced technologies beyond current XDR and SIEM platforms as part of ongoing threat detection and response initiatives within security operations to prevent a successful detonation of ransomware. Prioritizing solutions that automate detection, prioritize seemingly random indicators of compromise for further investigation and even automating responses with a high-level of confidence and low impact are critical in deciding where to invest.”

UPDATE #2: Saumitra Das, CTO and Cofounder, Blue Hexagon added this commentary:

“The IT/OT barrier is more a logical separation than an actual one. Attacks typically start on the IT side and propagate into OT because of improper network segmentation and privilege limitations. In light of this report, focusing on the IT/OT boundary and protecting access to the OT networks is critical because defending against a threat once inside the OT network is much harder. Attackers can not only use IT network compromise to laterally move to OT but can now obtain detailed information and diagrams so they can plan their attack into the OT side.”

Mandiant Shows How Chinese Hackers Did Their Dirty Work

Posted in Commentary with tags , , on February 21, 2013 by itnerd

Never heard of Mandiant? You’ll be paying attention to them after you read their report [Warning: PDF] on a group of Chinese hackers called APT1. Mandiant also has a video on this topic for your viewing pleasure:

Now, if you want to protect yourself, they can help with that too. The linked zip file contains everything you need to stop your organization from being attacked by APT1. At least they’re simply not scaring people.

Given how dangerous Chinese hackers are, I believe it’s prudent for companies to heed these warnings. Even if your not a corporation, the report is worth a read just to see how much hacking has evolved.