Cyber actions FireEye

1 cyber actions

1.1 2008-2014
1.2 2015
1.3 2016
1.4 2017

cyber actions
2008-2014

in october/november 2009, fireeye participated in effort take down mega-d botnet (also known ozdok). on march 16, 2011, rustock botnet taken down through action microsoft, federal law enforcement agents, fireeye, , university of washington. in july 2012, fireeye involved in analysis of grum botnet s command , control servers located in netherlands, panama, , russia.

in 2014, fireeye labs team identified 2 new zero-day vulnerabilities – cve-2014-4148 , cve-2014-4113 – part of limited, targeted attacks against major corporations. both zero-days exploit windows kernel. microsoft addressed vulnerabilities in october 2014 security bulletin. in 2014, fireeye provided information on threat group calls fin4. fin4 appears conduct intrusions focused on single objective: obtaining access insider information capable of making or breaking stock prices of public companies. group has targeted hundreds of companies, , targets emails of c-level executives, legal counsel, regulatory, risk, , compliance personnel, , other individuals regularly discuss confidential, market-moving information. in 2014, fireeye released report focused on threat group refers apt28. apt28 focuses on collecting intelligence useful government. specifically, fireeye found since @ least 2007, apt28 has been targeting privileged information related governments, militaries, , security organizations benefit russian government.

2015

in 2015, fireeye confirmed existence of @ least 14 router implants spread across 4 different countries: ukraine, philippines, mexico, , india. referred synful knock, implant stealthy modification of router’s firmware image can used maintain persistence within victim’s network.

in september 2015, fireeye obtained injunction against security researcher attempting report vulnerabilities in fireeye malware protection system.

in 2015, fireeye uncovered attack exploiting 2 unknown vulnerabilities, 1 in microsoft office (cve-2015-2545) , in windows (cve-2015-2546). attackers hid exploit within microsoft word document (.docx) appeared résumé. combination of these 2 exploits grant privileged remote code execution. both vulnerabilities patched microsoft.

in 2015, fireeye service team in singapore uncovered phishing campaign exploiting adobe flash player zero-day vulnerability (cve-2015-3113). adobe released patch vulnerability out-of-band security bulletin. fireeye attributed activity china-based threat group tracks apt3.

2016

in 2016, fireeye announced has been tracking pair of cybercriminals referred “vendetta brothers.” company said enterprising duo uses various strategies compromise point-of-sale systems, steal payment card information , sell on underground marketplace “vendetta world.”

in mid-2016, fireeye released report on impact of 2015 agreement between president barack obama , chinese president xi jinping neither government “conduct or knowingly support cyber-enabled theft of intellectual property” economic advantage. security firm reviewed activity of 72 groups suspects operating in china or otherwise support chinese state interests , determined that, of mid-2014, there overall decrease in successful network compromises china-based groups against organizations in u.s. , 25 other countries.

in 2016, fireeye announced had identified several versions of ics-focused malware – dubbed irongate – crafted manipulate specific industrial process running within simulated siemens control system environment. although siemens product computer emergency readiness team (productcert) confirmed fireeye irongate not viable against operational siemens control systems , irongate not exploit vulnerabilities in siemens products, security firm said irongate invokes ics attack concepts first seen in stuxnet.

on may 8, 2016, fireeye detected attack exploiting unknown vulnerability in adobe flash player (cve-2016-4117). security firm reported issue adobe product security incident response team (psirt) , adobe released patch vulnerability in 4 days later.

in 2016, fireeye discovered widespread vulnerability affecting android devices permits local privilege escalation built-in user “radio”, making attacker can potentially perform activities such viewing victim’s sms database , phone history. fireeye reached out qualcomm in january 2016 , subsequently worked qualcomm product security team address issue.

in 2016, fireeye provided details on fin6, cyber criminal group steals payment card data monetization targets predominately in hospitality , retail sectors. group observed aggressively targeting , compromising point-of-sale (pos) systems, , making off millions of payment card numbers later sold on underground marketplace.

2017

in 2017, fireeye detected malicious microsoft office rtf documents leveraging undisclosed vulnerability, cve-2017-0199. vulnerability allows malicious actor download , execute visual basic script containing powershell commands when user opens document containing embedded exploit. fireeye shared details of vulnerability microsoft , coordinated public disclosure timed release of patch microsoft address vulnerability.