Category Archives: Targeted Attack

A Detailed Examination of the Siesta Campaign

| By and | Targeted Attack, Threat Intelligence, Threat Research

Executive Summary

FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.

The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.

Overview

On March 6, 2014 TrendMicro reported on the Siesta Campaign. Though not explicitly stated in this report, the tactics, techniques and procedures (TTPs) described in this report share a number of characteristics with historical activity we’ve attributed to APT1 (also known as the “Comment Crew”). Continue reading »

Cybercriminals Continue to Target Retail Sector

| By | Advanced Threat Trends, Security News, Targeted Attack, Threat Intelligence

A series of spectacular cyber attacks have breached big-name retail stores in recent months, including Target, Nieman Marcus, and Michaels. These incidents are the only latest in what has become an alarming trend.

In 2013, for example, the U.S. Department of Justice (DoJ) profiled a financial hacking scheme in which four Russians and one Ukrainian penetrated the computer networks of retail organizations. This series of attacks yielded more than 160 million credit card numbers — and cost corporations and consumers hundreds of millions of dollars. The cybercriminals sold the credit card data (which was stored on computers scattered around the globe) and sold it via hacker forums. They charged $10 for American cards and $50 for European cards.

The FireEye Dynamic Threat Intelligence™ team can confirm that the retail sector faces an increased risk from actors using point-of-sale (POS) malware to steal customer credit card data. Ongoing attacks against our retail clients align closely with the DoJ revelations and recent headlines. FireEye is actively tracking one financial threat group that we believe is associated with Russian and Ukrainian attackers.

Continue reading »

Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit

| By , , , and | Targeted Attack, Threat Intelligence, Threat Research, Vulnerabilities

Less than a week after uncovering Operation SnowMan, the FireEye Dynamic Threat Intelligence cloud has identified another targeted attack campaign — this one exploiting a zero-day vulnerability in Flash. We are collaborating with Adobe security on this issue. Adobe has assigned the CVE identifier CVE-2014-0502 to this vulnerability and released a security bulletin.

As of this blog post, visitors to at least three nonprofit institutions — two of which focus on matters of national security and public policy — were redirected to an exploit server hosting the zero-day exploit. We’re dubbing this attack “Operation GreedyWonk.”

We believe GreedyWonk may be related to a May 2012 campaign outlined by ShadowServer, based on consistencies in tradecraft (particularly with the websites chosen for this strategic Web compromise), attack infrastructure, and malware configuration properties.

The group behind this campaign appears to have sufficient resources (such as access to zero-day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters.

Continue reading »

Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website

| By , , , and | Advanced Malware, Exploits, Targeted Attack, Threat Research, Vulnerabilities

On February 11, FireEye identified a zero-day exploit (CVE-2014-0322)  being served up from the U.S. Veterans of Foreign Wars’ website (vfw[.]org). We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns (Operation DeputyDog and Operation Ephemeral Hydra).

This blog post examines the vulnerability and associated attacks, which we have dubbed “Operation SnowMan.”

Continue reading »

Targeted Attacks in 2013: Asia Pacific

| By and | Advanced Malware, Advanced Threat Trends, Targeted Attack, Threat Intelligence

Here at FireEye, the New Year gives us an opportunity to look back at 2013 and analyze what happened in cyber security from a high-level and strategic perspective.

Let’s start with Asia. Cyber attacks against government websites in Southeast Asia and Australia made the front-page news, reminding security professionals that cyber threats are both a global and a regional issue.

While attention-seeking hackers are trying to attract as much press as possible, organized and resourceful cyber criminals and nation-state threat actors are capable of more advanced – and stealthy – attacks. Motivated by economic and political aims, some of the most advanced cyber attacks are designed to steal information (or, like Stuxnet, sabotage critical infrastructure) and evade detection. Therefore, this class of attacks can often go unnoticed for long periods of time. Continue reading »

Trends in Targeted Attacks: 2013

| By | Advanced Malware, Targeted Attack, Threat Intelligence, Threat Research

FireEye has been busy over the last year. We have tracked malware-based espionage campaigns and published research papers on numerous advanced threat actors. We chopped through Poison Ivy, documented a cyber arms dealer, and revealed that Operation Ke3chang had targeted Ministries of Foreign Affairs in Europe.

Worldwide, security experts made many breakthroughs in cyber defense research in 2013. I believe the two biggest stories were Mandiant’s APT1 report and the ongoing Edward Snowden revelations, including the revelation that the U.S. National Security Agency (NSA) compromised 50,000 computers around the world as part of a global espionage campaign.

In this post, I would like to highlight some of the outstanding research from 2013.

Continue reading »