Unit 42 Threat Intel Bulletin - July
Cybersecurity Trends
Unit 42 Threat Research
Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Threat Briefs & Assessments)
On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Transfer product. MOVEit Transfer is a managed file transfer (MFT) application intended to provide secure collaboration and automated file transfers
Guarding Against Malware in 2023: 4 Predictions to Enhance Your Security Strategy (Threat Reports)
The ability to guard against attacks and malware designed to exploit vulnerabilities means keeping up with trends and predictions to inform your security strategy. Understanding the changing environment is imperative for security professionals to mount a strong defense against sophisticated malware attacks.
Cold as Ice: Unit 42 Wireshark Quiz for IcedID (Tutorial)
So far in 2023, IcedID has been a relatively constant presence in our threat landscape. Also known as BokBot, IcedID is Windows-based malware that can lead to ransomware. This Wireshark quiz presents a packet capture (pcap) from an IcedID infection that occurred in April 2023, and it provides experience analyzing traffic generated by this malware.
Anyone can participate in this quiz. However, participants should have some familiarity with Wireshark. Participants should also have a basic knowledge of IPv4 traffic. Palo Alto Networks has published a series of Wireshark tutorials to help people gain knowledge helpful for these quizzes.
Analyzing Web Application and API Attacks : The Cloud as a Target and a Launch Pad (Cloud)
Unit 42 researchers have identified a growing trend of cyberattacks targeting web applications and application programming interfaces (APIs) hosted by cloud service providers. Based on the data from our research, 14.9% of attacks in late 2022 on web applications and APIs targeted cloud-hosted deployments.
Attackers are also operating in the cloud and using it to launch their attacks on applications and APIs, as 5.1% of the attacks originated from cloud service providers' addresses. We will discuss what web and API attacks are and why attackers are exploiting them in the cloud. We will also review possible reasons for attacks originating from the cloud, as well as the potential impact on businesses and individuals.
Old Wine in the New Bottle: Mirai Variant Targets Multiple loT Devices (Malware)
On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:
Recommended by LinkedIn
Threat Brief: Attacks on Critical Infrastructure Attributed to Volt Typhoon (Threat Briefs and Assessments)
On May 24, 2023, a Joint Cybersecurity Advisory was published by multiple intelligence agencies, working with private sector partners, disclosing several cyberattacks from nation-state threat actors. The group associated with this attack, known as Volt Typhoon (tracked by Unit 42 as Insidious Taurus), has been attributed to the People's Republic of China (PRC) and was conducting operations for espionage purposes.
Unit 42 is tracking Volt Typhoon activity and will continue to update this threat brief as more information becomes available. Palo Alto Networks was credited in the Joint Cybersecurity Advisory for providing input on the activity.
Threat Assessment: Royal Ransomware (Ransomware, Threat Briefs and Assessments)
Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti.
The Unit 42 team has observed this group compromising victims through a BATLOADER infection, which threat actors usually spread through search engine optimization (SEO) poisoning. This infection involves dropping a Cobalt Strike Beacon as a precursor to the ransomware execution. Unit 42 incident responders have participated in 15 cases involving Royal ransomware in the last 9 months.
It’s All in the Name: How Unit 42 Defines and Tracks Threat Adversaries (Announcement)
Within Unit 42 Threat Intelligence, we are often asked, “How does Unit 42 define and track actor activity?” To answer this question, we’ll give you a glimpse into our day-to-day activities, specifically focusing on how Unit 42 Threat Intelligence tracks behavior-based activity clusters.
The convention that Unit 42 Threat Intelligence uses for naming formal threat actor groups
Threat Roll-up
More Information
Under Attack?
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.
If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.
Sales Associate at American Airlines
1yGreat opportunity