Unit 42 Threat Intel Bulletin - July

Unit 42 Threat Intel Bulletin - July

Cybersecurity Trends

No alt text provided for this image

Read the 2023 Unit 42 Network Threat Trends Research Report.

No alt text provided for this image
No alt text provided for this image

Unit 42 Threat Research

No alt text provided for this image

Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Threat Briefs & Assessments)

On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Transfer product. MOVEit Transfer is a managed file transfer (MFT) application intended to provide secure collaboration and automated file transfers of sensitive data.

Read more

No alt text provided for this image

Guarding Against Malware in 2023: 4 Predictions to Enhance Your Security Strategy (Threat Reports)

The ability to guard against attacks and malware designed to exploit vulnerabilities means keeping up with trends and predictions to inform your security strategy. Understanding the changing environment is imperative for security professionals to mount a strong defense against sophisticated malware attacks.

Key findings

No alt text provided for this image

Cold as Ice: Unit 42 Wireshark Quiz for IcedID (Tutorial)

So far in 2023, IcedID has been a relatively constant presence in our threat landscape. Also known as BokBot, IcedID is Windows-based malware that can lead to ransomware. This Wireshark quiz presents a packet capture (pcap) from an IcedID infection that occurred in April 2023, and it provides experience analyzing traffic generated by this malware.

Anyone can participate in this quiz. However, participants should have some familiarity with Wireshark. Participants should also have a basic knowledge of IPv4 traffic. Palo Alto Networks has published a series of Wireshark tutorials to help people gain knowledge helpful for these quizzes.

Test your knowledge

Check your answers

No alt text provided for this image

Analyzing Web Application and API Attacks: The Cloud as a Target and a Launch Pad (Cloud)

Unit 42 researchers have identified a growing trend of cyberattacks targeting web applications and application programming interfaces (APIs) hosted by cloud service providers. Based on the data from our research, 14.9% of attacks in late 2022 on web applications and APIs targeted cloud-hosted deployments.

Attackers are also operating in the cloud and using it to launch their attacks on applications and APIs, as 5.1% of the attacks originated from cloud service providers' addresses. We will discuss what web and API attacks are and why attackers are exploiting them in the cloud. We will also review possible reasons for attacks originating from the cloud, as well as the potential impact on businesses and individuals.

Learn more

No alt text provided for this image

Old Wine in the New Bottle: Mirai Variant Targets Multiple loT Devices (Malware)

On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:

Find out more

No alt text provided for this image

Threat Brief: Attacks on Critical Infrastructure Attributed to Volt Typhoon (Threat Briefs and Assessments)

On May 24, 2023, a Joint Cybersecurity Advisory was published by multiple intelligence agencies, working with private sector partners, disclosing several cyberattacks from nation-state threat actors. The group associated with this attack, known as Volt Typhoon (tracked by Unit 42 as Insidious Taurus), has been attributed to the People's Republic of China (PRC) and was conducting operations for espionage purposes.

Unit 42 is tracking Volt Typhoon activity and will continue to update this threat brief as more information becomes available. Palo Alto Networks was credited in the Joint Cybersecurity Advisory for providing input on the activity.

Check it out

No alt text provided for this image

Threat Assessment: Royal Ransomware (Ransomware, Threat Briefs and Assessments)

Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti.

The Unit 42 team has observed this group compromising victims through a BATLOADER infection, which threat actors usually spread through search engine optimization (SEO) poisoning. This infection involves dropping a Cobalt Strike Beacon as a precursor to the ransomware execution. Unit 42 incident responders have participated in 15 cases involving Royal ransomware in the last 9 months.

Discover more

No alt text provided for this image

It’s All in the Name: How Unit 42 Defines and Tracks Threat Adversaries (Announcement)

Within Unit 42 Threat Intelligence, we are often asked, “How does Unit 42 define and track actor activity?” To answer this question, we’ll give you a glimpse into our day-to-day activities, specifically focusing on how Unit 42 Threat Intelligence tracks behavior-based activity clusters.

The convention that Unit 42 Threat Intelligence uses for naming formal threat actor groups has been discussed in a previous blog. In this post, we’ll step back to give you a broader view, covering how the Unit 42 team builds and tracks activity clusters, and then associates this behavior with temporary threat actor groups. We’ll also discuss how we decide when to enact our formal actor naming and definition processes.

Read more

No alt text provided for this image

Threat Roll-up

  • (Vulnerability) An update on the steps IPSwitch is taking to protect MOVEit Transfer and MOVEit Cloud customers. (Source: IPSwitch)
  • (Detection Tool) New tool scans iPhones for 'Triangulation' malware infection. (Source: Bleeping Computer)
  • (Firmware) Hidden code in millions of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse. (Source: Wired)
  • (Remote Code Execution) Exploit released for RCE flaw in the ReportLab PDF library, a popular Python library used by numerous projects to generate PDF files from HTML input. (Source: Bleeping Computer)
  • (Vulnerability) Barracuda, a company known for its email and network security solutions, warns of email gateways being breached via zero-day flaw. (Source: Bleeping Computer)
  • (AI) Dark Web ChatGPT Unleashed: Meet DarkBERT. A language model trained on the fringes of the dark web...for science. (Source: Toms Hardware)
  • (Ransomware) A different kind of ransomware demand: Donate to charity to get your data back. (Source: CyberScoop)
  • (Vulnerability) A vulnerability (CVE-2023-32784) in KeePass can be exploited to retrieve the master password from the software's memory. (Source: Help Net Security)
  • (Ransomware) A new Python-based ransomware recovery tool lets victims of ransomware strains that use intermittent encryption recover their files for free. (Source: Bleeping Computer)

No alt text provided for this image

More Information

No alt text provided for this image

Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.

KRISHNAN N NARAYANAN

Sales Associate at American Airlines

1y

Great opportunity

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics