All news with #mandiant tag

Google Cloud expands Hugging Face support for AI developers

🤝 Google Cloud and Hugging Face are deepening their partnership to speed developer workflows and strengthen enterprise model deployments. A new gateway will cache Hugging Face models and datasets on Google Cloud so downloads take minutes, not hours, across Vertex AI and Google Kubernetes Engine. The collaboration adds native TPU support for open models and integrates Google Cloud’s threat intelligence and Mandiant scanning for models served through Vertex AI.

Time Travel Debugging for .NET Process Hollowing Analysis

🕒 This post introduces Time Travel Debugging (TTD) via WinDbg as a high-value tool for accelerating analysis of obfuscated, multi-stage .NET droppers that perform process hollowing. The authors demonstrate recording a TTD trace, querying the Debugger Data Model with LINQ to find CreateProcess and WriteProcessMemory calls, and extracting a hidden AgentTesla payload. It highlights practical tips, tooling (TTD.exe, FLARE-VM), and limitations such as user-mode scope and proprietary trace formats.

Ransomware Breach: How Nevada's Systems Were Encrypted

🔒 The State of Nevada published a detailed after-action report describing how attackers used a trojanized system administration utility to establish persistent access and deploy ransomware across state infrastructure. The initial compromise occurred on May 14 and was detected on August 24, impacting more than 60 agencies and prompting a 28-day recovery that restored 90% of required data without paying a ransom. Nevada engaged external responders including Microsoft DART and Mandiant, and has since implemented account cleanups, password resets, certificate removals, and tightened access controls.

SonicWall Attributes September Backup Breach to State Actor

🔐 SonicWall has confirmed a state-sponsored threat actor was responsible for a September breach that exposed cloud-stored firewall configuration backup files. The company said the unauthorized access used an API call against a specific cloud environment and affected backups for fewer than 5% of customers. SonicWall engaged Google-owned Mandiant, implemented recommended mitigations, and released an Online Analysis Tool and a Credentials Reset Tool. Customers are advised to log in to MySonicWall.com to review devices and reset impacted credentials.

Privileged Account Monitoring and Protection Guide Overview

🔐 This article outlines Mandiant's practical framework for securing privileged access across modern enterprise and cloud environments. It emphasizes a three-pillar approach—Prevention, Detection, and Response—and details controls such as PAM, PAWs, JIT/JEA, MFA, secrets rotation, and tiered access. The post highlights detection engineering, high-fidelity session capture, and SOAR automation to reduce dwell time and blast radius, and concludes with incident response guidance including enterprise password rotations and protected recovery paths.

Mandiant Academy Basic Static and Dynamic Analysis

🛡️ Mandiant Academy’s new Basic Static and Dynamic Analysis course teaches foundational techniques for safely examining and triaging Windows binaries. The hands-on curriculum combines PE file inspection, metadata and strings extraction, and controlled execution in a provided virtual machine to observe behavior, network activity, and memory artifacts. No advanced programming prerequisites are required, though familiarity with command-line basics, hexadecimal data, and operating system concepts is recommended.

Navigating Public Sector Cybersecurity: AI and Zero Trust

🔒 As CSO for Google Public Sector, the post frames an urgency-driven approach to modern government security, emphasizing AI-powered threat detection, Zero Trust engineering, and a shared responsibility model. It highlights how Google Security Operations (FedRAMP High), fused threat intelligence from VirusTotal and Mandiant, and fast incident response strengthen mission continuity. The piece stresses that legacy defenses are insufficient against AI-enhanced adversaries and calls for proactive, intelligence-led modernization.

VirusTotal simplifies access with contributor tiers

🤝 VirusTotal announces simplified access and tiered pricing to keep the platform open and sustainable. The update preserves a robust, free VT Community tier for researchers and educators while introducing a dedicated Contributor Tier for engine partners that includes blindspot feeds, priority support, and early feature access. New paid tiers (VT Lite, VT Duet) target small teams and large organizations respectively, with pricing aligned to usage and contribution.

Extortion Emails Target Executives Claiming Clop Ties

📧 An individual or group claiming to work with the Clop ransomware gang has been sending extortion emails to executives at multiple organizations since September 29, according to Google. Researchers at Mandiant and the Google Threat Intelligence Group are investigating and report a high-volume campaign launched from hundreds of compromised accounts, with at least one account previously linked to FIN11. The messages include contact information that matches addresses on the Clop data leak site, suggesting the actor may be leveraging Clop's brand; however, investigators emphasize this does not prove direct Clop involvement and advise targeted organizations to search for indicators of compromise.

Google, Mandiant Probe Extortion Claims Targeting Oracle EBS

📧 Google Mandiant and the Google Threat Intelligence Group report a new high-volume extortion campaign that claims stolen data from Oracle E-Business Suite. The operation began on or before September 29, 2025, uses hundreds of compromised accounts, and includes contact addresses verified on the Cl0p data leak site. Mandiant notes at least one sending account has ties to FIN11, a TA505 subset. Investigations are ongoing and organizations are urged to inspect for compromise.

BRICKSTORM espionage campaign targeting appliances in US

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.

Top Dark Web Monitoring Tools for Threat Detection

🔎 The article explains why Dark Web monitoring is essential for CISOs and security teams, focusing on the discovery of leaked credentials, sensitive corporate data, and brand-abuse used in fraud and phishing. It profiles ten leading solutions and contrasts commercial Digital Risk Protection services with open-source intelligence platforms. The piece emphasizes integration with XDR/MDR, API access, takedown capabilities, and VIP and supply‑chain monitoring to prioritize responses and reduce business risk.

Google: Salesloft Drift OAuth Breach Impacts Integrations

🔐 Google and Mandiant warn Salesloft Drift customers that OAuth tokens tied to the Drift platform should be treated as potentially compromised. Stolen tokens for the Drift Email integration were used to access email from a small number of Google Workspace accounts on August 9, 2025; Google stressed this is not a compromise of Workspace or Alphabet. Google revoked affected tokens, disabled the Workspace–Drift integration, and is urging customers to review, revoke, and rotate credentials across all Drift-connected integrations while investigations continue.

DLA Selects Google Public Sector for Cloud Modernization

☁️ Google Public Sector has been awarded a $48 million DLA Enterprise Platform contract to migrate the Defense Logistics Agency to a DoD‑accredited commercial cloud. The multi‑phased program will move key infrastructure and data to a modern, AI‑ready Google Cloud foundation and enable BigQuery, Looker, and Vertex AI analytics. Emphasizing secure‑by‑design infrastructure and Mandiant threat intelligence, the effort aims to reduce costs, improve resiliency, and accelerate AI‑driven logistics and transportation management.

Google Named a Leader in IDC Incident Response 2025

🔒 Google has been named a Leader in the IDC MarketScape: Worldwide Incident Response 2025, recognizing Mandiant—now integrated into Google Cloud Security—for its decades of incident response expertise. The report praises Mandiant’s "team of teams" model, rapid crisis communications capability, and integration with Google's SecOps platform. Proprietary tools like FACT and Monocle and combined threat intelligence with VirusTotal enhance enterprise-scale investigations.

ClickFix Campaign Delivers CORNFLAKE.V3 Backdoor via Web

🛡️ Mandiant observed a campaign using the ClickFix social‑engineering lure to trick victims into copying and running PowerShell commands via the Windows Run dialog, yielding initial access tracked as UNC5518. That access is monetized and used by other groups to deploy a versatile backdoor, CORNFLAKE.V3, in PHP and JavaScript forms. CORNFLAKE.V3 supports HTTP-based payload execution, Cloudflare-tunneled proxying and registry persistence; researchers recommend disabling Run where possible, tightening PowerShell policies and increasing logging and user training to mitigate the risk.