As you likely noticed, yesterday, Mandiant lost control of this X account which had 2FA enabled. Currently, there are no indications of malicious activity beyond the impacted X account, which is back under our control. We'll share our investigation findings once concluded.
We are excited to announce that we've signed an agreement to join the
@GoogleCloud
family — bringing together some of the best minds in security! Read more here:
Google completed its acquisition of Mandiant today. We’re excited to get started on our shared mission to create a comprehensive and best-in-class cyber security solution for customers and partners. Read more here:
We have finished our investigation into last week's Mandiant X account takeover and determined it was likely a brute force password attack, limited to this single account.
New: North Korea has taken a page out of China's cyber playbook to reorganize and consolidate its threat groups within the government - making them “extremely mobile now that they’ve consolidated.” Here's a first look at their new org structure 👇
Mandiant Intelligence has been tracking several ways in which Chinese cyber espionage activity has increasingly leveraged initial access and post-compromise strategies intended to minimize opportunities for detection.
Learn more in our analysis:
Linux is becoming a prime target as it is used as the operating system for basic household items up to critical infrastructure. View our latest white paper for guidance on protecting Linux endpoints against malware and destructive attacks.
➡️
Listen to this week’s
#ThreatTrends
episode feat. Mandiant’s Yihao Lim who joined to discuss the trends he sees in the threat landscape in APJ and how organizations in the region are approaching security.
🎧:
Today, the Mandiant Threat Intelligence team shared that it assesses with high confidence that
#UNC1151
is linked to the Belarusian govt & that Belarus is likely at least partially responsible for the Ghostwriter IO campaign.
Read more on our blog:
Mandiant and VMware Product Security found that UNC3886 has been exploiting CVE-2023-20867 since 2021.
Mandiant recommends VMware users update to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild. ⬇️
Today, we announced the elevation of one of the longest-running financially-motivated threat clusters to FIN status, known as
#FIN13
. The group is unique in several ways, including in the fact they do not deploy
#ransomware
.
Learn more ➡️
Today we announced our strategic partnership with
@CrowdStrike
, which brings the power of CrowdStrike’s Falcon platform to Mandiant’s industry-leading services helping to protect customers from
#cyberthreats
.
Learn more. ⬇️
Mandiant reveals that a “hacktivist” persona created by APT44, has recently targeted & disrupted U.S. and Polish water utilities, as well as a French dam.
Read more on our latest findings here:
#Mandiant
#APT44
Based on the data released, there are no indications that Mandiant data has been disclosed. Rather the actor appears to be trying to disprove our June 2nd, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research.
It’s time for our home race🏁! We are proud to provide
@AlpineF1Team
with confidence in their
#cybersecurity
as they take on the
#USGP
at Circuit of the Americas. Let’s go team, good luck!
We've posted a new blog authored by Mandiant's Threat Intel team on how the Apache Log4j vulnerability impacts organizations, ways attackers have been leveraging it in the wild and our detailed mitigation recommendations.
Read more here:
In light of the crisis in Ukraine, Mandiant is preparing for Russian actors to carry out aggressive cyber activity against customers & the community. Read our whitepaper for guidance on how to protect against these sorts of destructive cyber attacks.
➡️
UNC3886 has been exploiting a 0-day vulnerability in VMware ESXi hypervisors.
See our latest blog for more on this group, as well as steps organizations can take to detect and respond to a newly exploited 0-day vulnerability in VMware ESXi hypervisors.
Today we’ve released a white paper and investigative tool to help orgs detect, protect against, and respond to
#UNC2452
, the group behind the SUNBURST malware and supply chain attack.
Check out the white paper:
We have graduated UNC788 to APT status.
#APT42
is a prolific & well-resourced threat actor likely operating on behalf of the Iranian Revolutionary Guard Corps. Read more on the group & listen to our latest
#ThreatTrends
episode to learn more.
We have developed and launched The Mandiant Cyber Threat Intelligence Analyst Core Competencies Framework to help grow the pool of highly capable CTI practitioners. Read this blog post by
@_John_Doyle
to learn more. 👇
.
@FireEye
has entered into a definitive agreement to sell the FireEye Products business, including the FireEye name, to Symphony Technology Group. This will separate FireEye’s products suite from Mandiant Solutions’ controls-agnostic software and services.
🚀 Unveiling the new Threat Intelligence Blog!
Explore hundreds of Mandiant reports, offering the same intelligence and same Mandiant expertise but now on a dedicated page.
Read now:
#ThreatIntelligence
#Cybersecurity
As part of the Google Summer of Code project, our FLOSS malware analysis tool now supports the Go and Rust executables. Learn how to use FLOSS by reading our blog here
#ReverseEngineering
#Flare
Mandiant and
@Microsoft
have identified a new wave of intrusion activity from the threat actor behind the
#SolarWinds
supply chain attacks. Learn more in this article from
@nytimes
⬇️
A new Mandiant investigation reveals what’s probably the first instance of an ICS attack that solely uses living off the land techniques.
Read how Sandworm caused a power outage in Ukraine and why they could replicate a similar type of attack elsewhere:
capa v3 has arrived! 🙌
With help from
@IntezerLabs
, the tool now recognizes ELF files. Learn more about the extended analysis and other improvements that come with the newest code and ruleset updates, in our latest blog.
Our experts have gathered sufficient evidence to assess that the activity tracked as
#UNC2452
, the group name used to track the
#SolarWinds
compromise in December 2020, is attributable to
#APT29
.
Learn more:
Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We've made changes to our process to ensure this doesn't happen again.
We have identified an ongoing IO campaign leveraging a network of at least 72 suspected inauthentic news sites & a number of suspected inauthentic social media assets to disseminate content strategically aligned w/ the political interests of the PRC. ➡️
The Mandiant Managed Defense team has been working tirelessly to identify and combat the latest threats, and we're sharing our key observations from 2023 with you.👇
#Cybersecurity
#ThreatIntelligence
Yesterday we lost former teammate Joyce Lin, who's plane crashed while delivering COVID-19 tests in rural Indonesia. A founding member of the Intel Team, Joyce then followed a passion to give back, joining a nonprofit. Her generosity will be missed.
In early 2022, Mandiant detected & responded to an incident where
#APT29
successfully phished a European diplomatic entity & ultimately abused the Windows Credential Roaming feature. Read the blog post for more on this research.👇
This joint CSA provides details on rare
#ICS
focused malware that could be used to carry out serious cyber attacks against critical infrastructure. We appreciate acknowledgment for the hard work of our team in the report.
We are kicking off the week by releasing free tools on GitHub that help companies generate rules to systematically hunt for deserialization exploits, as well as other types of 0-day exploits. For more, read the blog post by Alyssa Rahman (
@ramen0x3f
).
👉
Ready. Set. Go! 🚦
We are thrilled to announce our strategic partnership with
@AlpineF1Team
to help protect data across racing operations so they can continue to push the boundaries of technology and innovation both on and off the track.
👉 Read more:
Our Managed Defense team identified a threat actor, UNC4990, who uses USB devices for initial attacks. They have moved from using seemingly benign encoded text files to hosting payloads on popular websites.
Read more:
#Malware
#ManagedDefense
Every industry has defining moments. The APT1 report that came out 8 years ago today is one of those moments for
#infosec
.
Watch the actual APT1 attacker sessions and intrusion activities in the video below.
▶️ Read the APT1 report:
We have been engaged by
@TMobile
to help them become more resilient to future cyber threats, drawing from Mandiant’s global front line experience helping orgs respond to security incidents.
We’ve recently responded to several incidents involving compromises of Pulse Secure VPN appliances.
Our blog post examines multiple related techniques for bypassing single & multifactor authentication on the appliances. Review the techniques here:
Congrats to everyone who participated in
#FLAREOn8
! 👏
Check out our blog post for more on this year's contest & read the detailed solutions by each challenge author >>
📣 New UNC group alert: UNC1945 📣
We've observed this group compromise telecommunication companies as well as target financial and professional consulting industries through third-party networks.
Learn more about their
#TTPs
:
We are pleased to share the Cyber Threat Intelligence Program Maturity Assessment. This web-based Intelligence Capability Discovery (ICD) will help commercial and governmental organizations evaluate the maturity (cont)
“We need to see more law enforcement disruptions of these
#ransomware
attacks if we want to change their behavior.” - Christopher Krebs addressing attendees at
#CyberDefenseSummit
Check out our initial findings on zero-day exploitation of Ivanti appliances by a suspected APT. 👇
We share details on five malware families related to the exploitation, as well as IOCs, YARA rules, and more for defenders to stay ahead of the threat.
Congratulations to the 219 Flare-On Challenge finishers! With 4,767 registered users, this is the most difficult challenge we’ve ever produced.
Interested in learning more about the 13 challenges? Check out the solutions from the authors themselves.
#Flare
In the latest release of capa v7, we have integrated capa with Ghidra, bringing capa’s detection capabilities directly to Ghidra’s user interface.
Read our latest blog to integrate your Ghidra workflows:
#Flare
#ReverseEngineering
Announcing the 10th annual Flare-On Challenge, launching on Sept. 29, 2023!
The challenge is designed for the world’s best reverse engineers to test their skills through difficult puzzles, featuring a retro-computing challenge involving PDP-11.
#flareon10
Responding to Western sanctions, Russia is likely to tap actors including Sandworm, UNC2589, UNC3715, and potentially TEMP.Isotope, for response, escalation, and possible destructive actions:
Today we published new research showing how
#APT29
, the threat group behind the
#SolarWinds
attack, is using new tactics and actively targeting Microsoft 365. Read more. ⤵️
Today we've completed the sale of the FireEye Products business. We want to take a moment to acknowledge & honor the incredible work our former colleagues delivered for Mandiant & our customers, and to wish them well as they move forward under Bryan Palma’s capable leadership.
We've published a blog post on our analysis of the INCONTROLLER framework, covering how new state-sponsored cyber attack tools target multiple industrial control systems. Thanks to
@SchneiderElec
& our partners for their contribution. Full post 👇
#ICS
Run, don't walk. Listen to our latest
#ThreatTrends
episode feat. Mandiant's Joe Dobson & Michael Barnhart on
#DPRK
threat groups & a view of the threat landscape in the region. They also chat about the tactics actors are using to target
#cryptocurrency
.
How can your security team benefit from increased external visibility? Hear from our experts on how Mandiant Advantage Attack Surface Management helps automate external asset discovery & reconnaissance efforts. Register today!
Mandiant has published a new report outlining new activities & tactics carried out by a threat actor we are associating w/ the
#SolarWinds
supply chain attack. Read more in our latest blog post.
“We’re celebrating the start. It’s not the finish line," said our CEO, Kevin Mandia, speaking to Mandiant employees in an all company town hall called to discuss the close of Google's acquisition of the firm. Read his blog here 👇
Today, we disclosed a critical risk vulnerability in coordination with
@CISAgov
that affects millions of IoT devices using the ThroughTek “Kalay” network. Read more about it in our new blog post ⤵️
Through our extensive experience responding to some of the world's most impactful threats, we found six critical tasks that organizations should implement to effectively mitigate cyber risk.
#CyberSnapshot
#DefendersAdvantage
We've observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website.
▶️
Here is
@JumpforJoyce
with insights on what the
#cybersecurity
industry should be prepping for in 2023. Stay tuned for much more from our Mandiant Cyber Security Forecast 2023 report, dropping next Wednesday, November 2.
In July 2022, Mandiant Managed Defense identified a novel spear phish methodology employed by a threat cluster tracked as UNC4034.
Read our blog to learn more. ⬇️
Check out a few suggestions that can help you analyze most types of
#data
with
#MicrosoftExcel
, which will allow you to develop an efficient way to analyze important evidence.
>> Read more in our blog:
🚨 New research alert!
Mandiant has observed a new espionage operation targeting
#Ukraine
. We suspect this activity is being conducted by the Russian
#cyberespionage
group, Turla Team. Read the blog to learn more. ⬇️
We found suspected Russian cyber actors used evacuation & humanitarian documents as
#spearphishing
lures against Ukrainian entities
Read details on those campaigns, including new
#malware
found, & the suspected threat actors behind it here:
🇺🇦🇺🇸Ukrainian partners are actively sharing malicious activity with us to bolster collective cybersecurity, as we share w/them. Thanks to close collaboration with
@servicessu
, we are disclosing IOCs associated w/malware recently found in Ukrainian networks
Our annual Flare-On Challenge is back!
This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. Read more about
#FlareOn9
, which begins Sept. 30 at 8pm ET. 👇
We identified 3
#zeroday
vulnerabilities with Managed Defense in SonicWall’s Email Security (ES) product. The vulns were being exploited in the wild to obtain admin access and code execution on a SonicWall ES device.
Learn more in our blog post:
While things like our corporate name and $MNDT ticker symbol on
@Nasdaq
may be new, the cyber security and peace of mind we provide are as strong as ever.
APT43 | North Korea is gaining intelligence on international negotiations, sanctions policy, foreign relations, and domestic politics using this cyber operator. Download the Mandiant APT43 report to learn more:
Trello? Is it
#APT29
you’re looking for?
Our researchers have discovered two new malware families being used by APT29 in spear phishing campaigns to obtain diplomatic and foreign policy information from governments around the world.
More here ⤵️
Flare-On is back! 🙌
This year's challenge will feature a total of 11 challenges featuring a variety of formats including Windows, JavaScript, .NET, Python, and even Motorola 68k Macintosh.
Read more about
#FlareOn9
, which begins Sept. 30 @ 8pm ET.
Our FLARE team has released the Ghidrathon extension, which adds Python 3 scripting capabilities to Ghidra that tightly integrates with Ghidra's UI.
Read our latest blog post to learn more. ⤵️
Dive into our latest blog on APT29's use of WINELOADER to target German political parties. Learn about tactics, impacts, and defense strategies. Read the analysis:
#Cybersecurity
#ThreatIntel
#APT29
Get excited!
#FLAREOn8
kicks off this Friday 8PM ET/5 PM PT at flare-on[dot]com. This year’s contest will consist of 10 challenges and feature a variety of formats, including Windows, Linux, and JavaScript.
Learn more:
It was an honor to join
@Nasdaq
’s Closing Bell ceremony today as we celebrate our listing as $MNDT. If you missed the event, you still can watch it at
🚨 Explore the rising threat of cyberattacks leveraging System Center Configuration Manager (SCCM) in our newest blog post.
Gain expert insights and learn how to protect your organization.
Read now:
#Cybersecurity
#SCCM
We just released an Indicators of Compromise Scanner that is designed to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. Learn more about this tool and download it today:
#ZeroDayThreat
In collaboration with
@Google
's Threat Analysis Group (TAG), we've released a comprehensive report on
#zerodayvulnerabilities
observed in 2023, offering insights and recommendations for cybersecurity professionals.
Stay ahead of threats:
#Cybersecurity
Our latest blog, Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter: dives into the realm of local file-based escalation attacks which can allow them to delete files on Windows system.
Read the full blog here:
We're thrilled to be included as one of the select alliance members supporting
@CISAgov
's expansion of the JCDC to include a new
#ICS
focus on the cyber security and resilience of operational technology. Read more here:
Today we are pleased to announce a new strategic alliance with
@SentinelOne
to help organizations reduce the risk of data breaches and strengthen their ability to mitigate cyber threats. Read more:
Cyber Security Forecast 2023 is out! To help improve overall preparedness, we've tapped leaders & experts across Mandiant for perspective, including our Head of Global intelligence
@JumpforJoyce
and also
@philvenables
, CISO
@Google
Cloud. Read more here ⤵️
Today we published new research on a unique
#malware
ecosystem that was found deployed on VMware hypervisors & guest systems by an advanced & suspected espionage threat actor. Read our blog to learn more about the threat: