Zero Days got you down? There sure has been a lot of high impact zero days impacting edge appliances in 2021, from Microsoft Exchange, Pulse Secure, and SonicWall. In this episode, we&apos;re joined by Josh Fleischer, the Managed Defense investigator who uncovered three zero days in SonicWall Email Security, to discuss detection and investigation of a zero day, as well as what vendors and customers can do to better to prepare for zero day attacks.

State of the Hack

S4E07: IIV Drippin: Overcoming Your Zero Day Hangover

In today&apos;s threat landscape, data theft and extortion go hand in handwith ransomware. In this episode of State of the Hack, we&apos;ll talkabout how data theft plays a role in modern day ransomware incidents,how attackers carry out data theft, and how we simulate data theftduring our Red Team assessments so clients can test their detectivecapabilities.

S4E06: Extortion, Ransoms & the Wonderful Life of Red Teams

An oft-undiscussed tactic, web shells are a popular way for threatactors of all flavors to gain initial footholds, move laterally, andmaintain persistence in a stealthy manner. Austin and Doug discuss apopular exploit that has been observed in the wild leading to webshells and what infosec practitioners can do to protect against thisclass of malware.

S4E05: The Wonderful World of Web Shells

This month's episode discusses the idea of operational security ("OPSEC") from an attacker's perspective. OPSEC relates to how an attacker or red team might try to make their activities stealthier to avoid detection. During this episode, Evan Pena and Julian Pileggi talk about the various ways the Mandiant Red Team carries out their operational security during an adversary simulation exercise, and interesting techniques they see attackers using that have a high level of operational security.

S4E04: Apex Predators: Inside OpSec Strategy

Join us for our holiday episode as we search for silver bells andsilver linings in our move to The Cloud! The cast sits down withDirk-Jan Mollema to talk Azure AD and Primary Refresh Tokens; and whatsavvy defenders can do to secure their own cloud credentials.

S4E03: Azure Got Run Over by a Refresh Token

Join us for our holiday episode as we search for silver bells and silver linings in our move to The Cloud! The cast sits down with Dirk-Jan Mollema to talk Azure AD and Primary Refresh Tokens; and what savvy defenders can do to secure their own cloud credentials.

Malicious Office document’s module streams that contain source code,but no P-code are more likely to evade YARA rules and AV detection.This evasion technique is called VBA purging; which is different thanthe observed VBA stomping technique. In this episode we will discusswhat VBA purging is, the difference between purging and stomping, theconsequences of this technique, and a new tool created by Mandiant’sRed Team called OfficePurge.

S4E02: Weaponizing Office Documents with VBA Purging

State of the Hack is back! Featuring new hosts Doug Bienstock(@doughsec), Austin Baker (@bakedsec), Julian Pileggi (@x64_Julian),and Evan Pena (@evan_pena2003) and new content. Doug and Austin kickthings off and dive into a recent flood of phishing campaignsassociated with KEGTAP aka BazaaLoader. They discuss some interestingtoolmarks of the KEGTAP attack chain and why it is so dangerous.

S4E01: KEGTAP-ing Out: Don't be a One Trickbot Pony

On today&apos;s show, Nick Carr and Christopher Glyer break down theanatomy of a really cool pre-attack technique - tracking pixels - andhow it can inform more restrictive & evasive payloads in the nextstage of an intrusion. We&apos;re joined by Rick Cole (@a_tweeter_user) toexplore one such evasive method seen in-the-wild: Macro Stomping. Andwe close the show by deep-diving with Matt Bromiley (@_bromiley) oncritical vulnerability we&apos;ve been responding to most in 2020 - andwhat we&apos;ve seen several attackers do post-compromise.Just as a targeted intruder might, we start our operation with emailtracking pixels. We break down how these legitimate marketing toolsare leveraged by attackers looking to learn more about their plannedvictim&apos;s behavior and system - prior to sending any first stagemalware.We break down the different variations on these trackers for bothbenign and malicious uses. For examples of each style of trackingpixel, see Glyer&apos;s recent tweet thread(https://twitter.com/cglyer/status/1222255759687372801). We talkthrough additional red team operators&apos; responses to how they use thistechnique in their campaigns today - discussion sparked from thisgreat offensive security discussion(https://twitter.com/malcomvetter/status/1222539003565694985). Thistrend of professional target profiling - drawing both inspiration andspecific tracking tools from the marketing industry - is highlyeffective and a trend we expect to continue.Next on the episode, we explain how document profiling accomplishesthe same end goal as email pixels - and how it can share informationabout the current version of Microsoft Office on the potentialvictim&apos;s system. Similar to execution guardrails, this Office versioninformation for Microsoft Word or Excel could be used to delivermalware that is highly evasive and only runs on that profile.We also pivot into some potential use cases for fingerprinting Officeversions. We discuss VBA macro stomping and file format intricaciesthat require attackers to understand the version of office a targetmay be using, in order to create evasive spear phishing lures that maybypass both static and dynamic detections. Rick Cole joins us to talkthrough an active attacker using macro stomping for evasion - bothp-code compiling and PROJECT stream manipulation. Rick walks through abrief overview of the technique and a particular financial threatactor who loves macro stomping as much as they love Onyx. Rickco-authored a blog on the topic(https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html) and has an excellent tweet threadlinking to other research(https://twitter.com/a_tweeter_user/status/1225062617632428033).Finally, we&apos;re joined by a surprise second guest! Matt Bromiley dropsin to discuss FireEye&apos;s efforts to respond to the critical Citrixvulnerability, CVE-2019-19781, that went public on January 10, 2020.Matt helps us break down some of the activity we&apos;ve seen since then,including distinct uncategorized clusters of activity for NOTROBIN,coin-mining, and attempted ETERNALBLUE-laced ransomware.In addition to securing his customers in Managed Defense, Matt&apos;s beenworking with the team to release several blogs, defender tips, andtools on the vulnerability:• Matt and Nick published an initial blog on the topic – detailingexploit timelines, evasive attackers, and resilient approaches todetection(https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBINand the concept of exploit squatter&apos;s rights in the blog with thetitl

S3E2: Hacking Tracking Pix & Macro Stomping Tricks

In response to increased U.S.-Iran tensions stemming from the recentdeath of Quds Force leader Qasem Soleimani by U.S. forces and concernsof potential retaliatory cyber attacks, we&apos;re bringing the latest fromour front-line experts on all things Iran. Christopher Glyer and NickCarr are joined by Sarah Jones (@sj94356) and Andrew Thompson(@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups -including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as thefreshest actionable information on suspected Iranian uncategorized(UNC) groups that are active right now.We get right into it with a picture of Iranian compromise activityfrom just a few years ago - what we observed and the basic,cookie-cutter approach to their intrusions - and then begin to walkthrough the stark contrast to their TTPs today. We discuss how and whytheir Computer Network Operations (CNO) has evolved quickly andprovide a detailed walk through all of the graduated Iranian APTgroups.Our experts share their experiences with each group, moments in timethat surprised or impressed us from Iranian threat actors, and notableshifts in behavior - as well as our standing questions. Iranianintrusion operators have come a long way from DDoS & defacement, basicscanning, Cain & Abel and ASPXspy... to DNS hijacking, socialengineering via LinkedIn, information operations, and backdoors likeQUADAGENT, SANDSPY, TANKSHELL - then filling in the gaps with thequick adoption of offensive security post-compromise tools andtechniques.We close this first episode of season 3 with an overview of actionablemitigations to secure against both Iranian intrusions and severalother threats, including disruptive and destructive ransomwareattacks. For more information on these mitigations as well as ourpublic source material supporting the discussion from the show, pleasecheck out:• APT33 graduation:https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.htmlhttps://www.brighttalk.com/webcast/10703/275683• APT33 webinar & examples:https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html• An example TEMP.Zagros phishing campaign:https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html• APT35 highlights in MTrends 2018:https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf• Iranian information operations:https://www.fireeye.com/blog/threat-research/2018/08/suspected-iranian-influence-operation.html• RULER home page usage by Iranian groups & mitigations:https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html• APT39 graduation:https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html• Iranian DNS Hijacking (DNSpionage):https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html• More Iranian influence operations:https://www.fireeye.com/blog/threat-research/2019/05/social-media-network-impersonates-us-political-candidates-supports-iranian-interests.html• APT34 social engineering via LinkedIn:http://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html• FireEye response to mounting U.S.-Iran tensions:https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-response-to-mounting-us-iran-tensions.html• U.S.-Iran tensions webinar & mitigations overview:https://www.brighttalk.com/webcast/7451/382779

S3E1: Spotlight Iran - from Cain & Abel to full SANDSPY

State of the Hack is hosted by FireEye's Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.

About