FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool (RAT) that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.

In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload. As of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we cannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment firms for competitive economic purposes. This purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide technical indicators that their IT personnel can use for proactive hunting and detection.

“In my previous blog I posted details of a cyber attack targeting Indian government organizations. This blog post describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing emails to target officials in the Indian Embassies and Indian Ministry of External Affairs (MEA). In order to infect the victims, the attackers distributed spear-phishing emails containing malicious word document which dropped a malware capable of spying on infected systems. The email purported to have been sent from legitimate email ids. The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims. Attackers also used the name of the top-ranking official associated with Minister of Home affairs in the signature of the email, this is to make it look like the email was sent by a high-ranking Government official associated with Ministry of Home Affairs (MHA).”

“In my previous blog posts I described attack campaigns targeting Indian government organizations, and Indian Embassies and Ministry of External affairs. In this blog post I describe a new attack campaign where cyber espionage group targeted the users of Mazagon Dock Shipbuilders Limited (also called as ship builder to the nation). Mazagon Dock Shipbuilders Limited (MDL) is a Public Sector Undertaking of Government of India (Ministry of Defence) and it specializes in manufacturing warships and submarines for the Indian Navy.”

“In my previous blog posts I posted details of cyber attacks targeting Indian Ministry of External Affairs and Indian Navy’s Warship and Submarine Manufacturer. This blog post describes another attack campaign where attackers impersonated identity of Indian think tank IDSA (Institute for Defence Studies and Analyses) and sent out spear-phishing emails to target officials of the Central Bureau of Investigation (CBI) and possibly the officials of Indian Army.”

This report describes an extensive Russia-linked phishing and disinformation campaign. It provides evidence of how documents stolen from a prominent journalist and critic of Russia was tampered with and then “leaked” to achieve specific propaganda aims. We name this technique “tainted leaks.” The report illustrates how the twin strategies of phishing and tainted leaks are sometimes used in combination to infiltrate civil society targets, and to seed mistrust and disinformation. It also illustrates how domestic considerations, specifically concerns about regime security, can motivate espionage operations, particularly those targeting civil society.

This report describes Nile Phish, an ongoing and extensive phishing campaign against Egyptian civil society.

This report reveals a campaign of reconnaissance, phishing, and malware operations that use content and domains made to mimic Chinese language news websites

APT28 sent out a document disguising itself as a flyer relating to the Cyber Conflict U.S. conference. The document contains a VBA macro that executes a new variant of Seduploader. This article analyzes the document and the reconnaissance malware inside.

The post contains Analysis on a wave of attacks targeting banks as well as the falsified origins of said attacks.

IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia. While researching elements in the IBM report, ASERT discovered additional malicious domains, IP addresses, and artifacts that matched preciously disclosed elements of Shamoon2.

The upgraded version of the Dridex Trojan was at one time one of the most successful bank Trojans originally discovered in 2014 and has since re-emerged. This paper provides an overview.

There is already a wealth of research that highlights the unending growth in security alerts, a widening security skills gap, and the ensuing fatigue that is heaped upon understaffed security teams. Demisto conducted a large study to delve deeper into these issues, their manifestations, and possible solutions. Their results yielded fascinating insights into the state of cybersecurity in businesses of all sizes.

This threat report takes a look at some of the events of spring 2017. Specifically, it looks at the NICKEL GLADSTONE threat group, the Iranian COBALT GYPSY threat group, third party risks, limiting native operating system admin tools.

In this report, they highlight the notable investigative research and threat trend statistics gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q1 of 2018.

This monthly threat report takes a look at the month of May 2017.

Overpowering today’s attackers and responding to threats requires EDR plus NGAV. The bad guys treat all of an organization’s machines as possible entry points. EDR plus NGAV takes this concept and uses it to the defender’s advantage by using all of a company’s endpoints for protection.

Aaron Higbee, Co-founder and CTO, PhishMe, (now CoFense) discusses the future of phishing defence and asks which side of the fence the future of defence against phishing attacks lies: human or machine?

This monthly threat report takes a look at the month of September 2017. More specifically, it takes a look at VULNS, Apache Exploits, and the Equifax breach.

This annual report takes a look at the most popular vulnerabilites used by cybercriminals. It intends to help organizations make good, informed decisions about their cyber security.

This Threat Report takes a look at some of the events of Early 2017. Specifically, it looks at how weak and outdated software enabled breaches, threats leveraged legitimate features, threat groups targeted organizations for espionage, and Shamoon wiper malware re-emerged.