Category: Unit 42

This article demonstrates how AI can be used to modify and help detect JavaScript malware. We boosted our detection rates 10% with retraining. The post Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript appeared first…

Read more →

A phishing campaign targeting European companies used fake forms made with HubSpot’s Free Form Builder, leading to credential harvesting and Azure account takeover. The post Effective Phishing Campaign Targeting European Companies and Organizations appeared first on Unit 42. This article…

Read more →

A phishing campaign targeting European companies used fake forms made with HubSpot’s Free Form Builder, leading to credential harvesting and Azure account takeover. The post Effective Phishing Campaign Targeting European Companies and Institutions appeared first on Unit 42. This article…

Read more →

Using real-world examples and offering plenty of pragmatic tips, learn how to protect your directory services from LDAP-based attacks. The post LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory appeared first on Unit 42. This article has been indexed…

Read more →

Vulnerabilities in Microsoft Azure Data Factory’s integration with Apache Airflow can lead to unauthorized access and control over cloud resources. The post Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration appeared first on Unit 42. This article…

Read more →

Analysis of packer-as-a-service (PaaS) HeartCrypt reveals its use in over 2k malicious payloads across 45 malware families since its early 2024 appearance. The post Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation appeared first on Unit 42. This article has been…

Read more →

Unit 42 probes network abuses around events like the Olympics, featuring case studies of scams and phishing through domain registrations and more. The post Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams appeared first on Unit 42.…

Read more →

North Korean IT worker cluster CL-STA-0237 instigated phishing attacks via video apps in Laos, exploiting U.S. IT firms and major tech identities. The post Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack appeared first on…

Read more →

We discuss North Korea’s use of IT workers to infiltrate companies, detailing detection strategies like IT asset management and IP analysis to counter this. The post Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them appeared first…

Read more →

New research reveals two vulnerabilities in Google’s Vertex AI that may lead to privilege escalation or data theft through custom jobs or malicious models. The post ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI appeared first on Unit…

Read more →

We discuss a new campaign from the cybercrime group behind Silent Skimmer, showcasing the exploit of Telerik UI vulnerabilities and malware like RingQ loader. The post Silent Skimmer Gets Loud (Again) appeared first on Unit 42. This article has been…

Read more →

Explore how we detect DNS hijacking by analyzing millions of DNS records daily, using machine learning to identify redirect attempts to malicious servers. The post Automatically Detecting DNS Hijacking in Passive DNS appeared first on Unit 42. This article has…

Read more →

A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor. The post TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit appeared first on…

Read more →

A first-ever collaboration between DPRK-based Jumpy Pisces and Play ransomware signals a possible shift in tactics. The post Jumpy Pisces Engages in Play Ransomware appeared first on Unit 42. This article has been indexed from Unit 42 Read the original…

Read more →

We examine an LLM jailbreaking technique called “Deceptive Delight,” a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate. The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit…

Read more →

We examine an LLM jailbreaking technique called “Deceptive Delight,” a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate. The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit…

Read more →

Explore how macOS Gatekeeper’s security could be compromised by third-party apps not enforcing quarantine attributes effectively. The post Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

The Unit 42 Threat Frontier report discusses GenAI’s impact on cybersecurity, emphasizing the need for AI-specific defenses and proactive security. The post Unit 42 Looks Toward the Threat Frontier: Preparing for Emerging AI Risks appeared first on Unit 42. This…

Read more →

Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics. The post Lynx Ransomware: A Rebranding of INC Ransomware appeared first on Unit 42. This article has…

Read more →

Discover how North Korean attackers, posing as recruiters, used an updated downloader and backdoor in a campaign targeting tech job seekers. The post Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and…

Read more →

Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more. The post No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection appeared first on Unit…

Read more →

Researchers detail the discovery of Swiss Army Suite, an underground tool used for SQL injection scans discovered with a machine learning model. The post Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning appeared first on Unit 42. This…

Read more →

We analyze new tools DPRK-linked APT Sparkling Pisces (aka Kimsuky) used in cyberespionage campaigns: KLogExe (a keylogger) and FPSpy (a backdoor variant). The post Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy appeared first on Unit 42. This article has…

Read more →

Delve into the infrastructure and tactics of phishing platform Sniper Dz, which targets popular brands and social media. We discuss its unique aspects and more. The post Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz appeared first on Unit…

Read more →

We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain. The post Inside SnipBot: The Latest RomCom Malware Variant appeared first on Unit 42. This article…

Read more →

Discover Splinter, a new post-exploitation tool with advanced features like command execution and file manipulation, detected by Unit 42 researchers. The post Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool appeared first on Unit 42. This…

Read more →

We track a campaign by Gleaming Pisces (Citrine Sleet) delivering Linux or macOS backdoors via Python packages, aiming to infiltrate supply chain vendors. The post Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors appeared first on…

Read more →

We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. The post Phishing Pages Delivered Through Refresh HTTP Response Header appeared first on Unit…

Read more →

Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more. The post Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware appeared first on Unit 42. This article has…

Read more →

Explore Unit 42’s review of North Korean APT groups and their impact, detailing the top 10 malware and tools we’ve seen from these threat actors. The post Threat Assessment: North Korean Threat Groups appeared first on Unit 42. This article…

Read more →

A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims’ environments for Southeast Asian espionage. The post Chinese APT Abuses VSCode to Target Government in Asia appeared first on Unit…

Read more →

Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. The post Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant appeared first on Unit 42. This article has been indexed from Unit 42 Read…

Read more →

Unit 42 researchers use a novel graph-based pipeline to detect misuse of 19 new TLDs for phishing, chatbots and more in several case studies. The post TLD Tracker: Exploring Newly Released Top-Level Domains appeared first on Unit 42. This article…

Read more →

A technical analysis of deepfake technology uncovers how cybercriminals utilize AI-generated videos of public figures to execute sophisticated scams. The post The Emerging Dynamics of Deepfake Scam Campaigns on the Web appeared first on Unit 42. This article has been…

Read more →

We analyze a recent incident by Bling Libra, the group behind ShinyHunters ransomware as they shift from data theft to extortion, exploiting AWS credentials. The post Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware appeared first on…

Read more →

Unit 42 researchers use deep learning to detect cyber threats by analyzing DNS traffic, employing autoencoders and machine learning algorithms. The post Autoencoder Is All You Need: Profiling and Detecting Malicious DNS Traffic appeared first on Unit 42. This article…

Read more →

We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations’ AWS environments. The post Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments appeared first on Unit 42. This article…

Read more →

Find out which industries have the most rapidly expanding attack surfaces from a survey of 260+ orgs in Unit 42’s 2024 Attack Surface Threat Report. The post Unit 42 Attack Surface Threat Research: Over 23% of Internet-Connected Exposures Involve Critical…

Read more →

New research uncovers a potential attack vector on GitHub repositories, with leaked tokens leading to potential compromise of services. The post ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts appeared first on Unit 42. This article has…

Read more →

Learn about BOLABuster, an LLM-driven tool automating BOLA vulnerability detection in web applications. Issues have already been identified in multiple projects. The post Harnessing LLMs for Automating BOLA Detection appeared first on Unit 42. This article has been indexed from…

Read more →

Discover the 2024 ransomware landscape: a 4.3% increase in leak site posts compared to the first half of 2023, top targeted sectors and impacted countries. The post Ransomware Review: First Half of 2024 appeared first on Unit 42. This article…

Read more →

Russian APT Fighting Ursa (APT28) used compelling luxury car ads as a phishing lure, distributing HeadLace backdoor malware to diplomatic targets. The post Fighting Ursa Luring Targets With Car for Sale appeared first on Unit 42. This article has been…

Read more →

Unit 42 researchers discovered BOLA vulnerability CVE-2024-22278 in the cloud-native container registry Harbor. They break down its discovery and the outcomes. The post Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry appeared first on Unit 42. This article…

Read more →

A direct correlation between GenAI’s explosive popularity and scam attacks is addressed in this article, using plentiful data and a case study of network abuse. The post Scam Attacks Taking Advantage of the Popularity of the Generative AI Wave appeared…

Read more →

We explain how an automated BOLA detection tool harnessing GenAI discovered multiple BOLA vulnerabilities in open-source scheduling tool Easy!Appointments. The post AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Malware analysts demonstrate how to triage and analyze large amounts of samples with greater efficiency. Samples include Remcos RAT, Lumma Stealer and more. The post Accelerating Analysis When It Matters appeared first on Unit 42. This article has been indexed…

Read more →

This article is a detailed study of CVE-2023-46229 and CVE-2023-44467, two vulnerabilities discovered by our researchers affecting generative AI framework LangChain. The post Vulnerabilities in LangChain Gen AI appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Ransomware gang RA World rebranded from RA Group. We discuss their updated tactics from leak site changes to an analysis of their operational tools. The post From RA Group to RA World: Evolution of a Ransomware Group appeared first on…

Read more →

Unit 42 researchers test container escape methods and possible impacts within a Kubernetes cluster using a containerd container runtime. The post Container Breakouts: Escape Techniques in Cloud Environments appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Our data shows a pattern of APK malware bundled as BadPack files. We discuss how this technique is used to garble malicious Android files, creating challenges for analysts. The post Beware of BadPack: One Weird Trick Being Used Against Android…

Read more →

We perform an in-depth study of a DarkGate malware campaign exploiting Excel files from early this year, assessing its functionality and its C2 traffic. The post DarkGate: Dancing the Samba With Alluring Excel Files appeared first on Unit 42. This…

Read more →

We demonstrate effective methods to circumvent anti-analysis evasion techniques from GootLoader, a backdoor and loader malware distributed through fake forum posts. The post Dissecting GootLoader With Node.js appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

This threat brief details CVE-2024-6387, called RegreSSHion, an RCE vulnerability affecting connectivity tool OpenSSH servers on glibc-based Linux systems. The post Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Our novel contrastive credibility propagation algorithm improves on data loss prevention and has unique applications to sensitive material. The post The Contrastive Credibility Propagation Algorithm in Action: Improving ML-powered Data Loss Prevention appeared first on Unit 42. This article has…

Read more →

Unit 42 researchers examine how attackers use publicly available Malleable C2 profiles, examining their structure to reveal evasive techniques. The post Attackers Exploiting Public Cobalt Strike Profiles appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths. The post Attack Paths Into VMs in the Cloud appeared first on Unit 42. This article has…

Read more →

A Chinese APT group is targeting political entities across multiple continents. Named Operation Diplomatic Specter, this campaign uses rare techniques and a unique toolset. The post Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target…

Read more →

This article examines the distribution of malicious payloads embedded in Microsoft OneNote files by type, a first in our research to do so at such a scale. The post Payload Trends in Malicious OneNote Samples appeared first on Unit 42.…

Read more →

We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. The post Leveraging DNS Tunneling for Tracking and Scanning appeared first on Unit 42. This article…

Read more →

We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. The post Leveraging DNS Tunneling for Tracking and Scanning appeared first on Unit 42. This article…

Read more →

We detail Operation MidnightEclipse, a campaign exploiting command injection vulnerability CVE-2024-3400, and include protections and mitigations. The post Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

An overview of CVE-2024-3094, a vulnerability in XZ Utils, and information about how to mitigate. The post Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094) appeared first on Unit 42. This article has been…

Read more →

Unit 42 researchers discovered CVE-2024-1313, a broken object level authorization (BOLA) vulnerability in open-source data visualization platform Grafana. The post Exposing a New BOLA Vulnerability in Grafana appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

We analyze the actions of two separate Chinese APTs — including Stately Taurus — that targeted ASEAN-affiliated entities through different methods. The post ASEAN Entities in the Spotlight: Chinese APT Group Targeting appeared first on Unit 42. This article has…

Read more →

We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. The post Large-Scale StrelaStealer Campaign in Early 2024 appeared first on Unit 42. This article…

Read more →

Iran-linked APT Curious Serpens is using a new backdoor, FalseFont, to target the aerospace and defense industries through fake job recruitment. The post Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention appeared first on Unit 42. This article has…

Read more →

A surge in use of malware Smoke Loader by threat group UAC-0006 is highlighted in the first-ever joint research published by Unit 42 and SSSCIP Ukraine. The post Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke…

Read more →

We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. The post Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled appeared first on Unit 42. This article has been indexed…

Read more →

Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses. The post Threat Group Assessment: Muddled Libra (Updated) appeared first on Unit 42. This article has been indexed from…

Read more →

This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills. The post Wireshark Tutorial: Exporting Objects From a Pcap appeared first on Unit 42. This article has been…

Read more →

The RAT Bifrost has a new Linux variant that leverages a deceptive domain in order to compromise systems. We analyze this expanded attack surface. The post The Art of Domain Deception: Bifrost's New Tactic to Deceive Users appeared first on…

Read more →

We illuminate lateral movement techniques observed in the wild within cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. The post Navigating the Cloud: Exploring Lateral Movement Techniques appeared first on Unit 42. This article…

Read more →

Data leaks impacting Chinese IT security services company i-Soon reveal links to prior Chinese-affiliated APT campaigns found in the data. We summarize our findings. The post Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns appeared…

Read more →

Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more. The post Intruders in the Library: Exploring DLL Hijacking appeared first on Unit 42. This article…

Read more →

CVE-2024-1708 and CVE-2024-1709 affect ConnectWise remote desktop application ScreenConnect. This Threat Brief covers attack scope and includes our telemetry. The post Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709) appeared first on Unit 42. This article has been indexed from…

Read more →

Fundamental insights from Unit 42’s 2024 Incident Response report are summarized here. The post 2024 Unit 42 Incident Response Report: Navigating the Shift in Cybersecurity Threat Tactics appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Insidious Taurus, aka Volt Typhoon, is a nation-state TA attributed to the People’s Republic of China. We provide an overview of their current activity and mitigations recommendations. The post Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt…

Read more →

New zero-day vulnerability CVE-2023-50358 affects QNAP Network Attached Storage (NAS) devices. Our analysis includes its impact determined by our product data. The post New Vulnerability in QNAP QTS Firmware: CVE-2023-50358 appeared first on Unit 42. This article has been indexed…

Read more →

A 2023 Glupteba campaign includes an unreported feature — a UEFI bootkit. We analyze its complex architecture and how this botnet has evolved. The post Diving Into Glupteba's UEFI Bootkit appeared first on Unit 42. This article has been indexed…

Read more →

Analysis of ransomware gang leak site data reveals significant activity over 2023. As groups formed — or dissolved — and tactics changed, we synthesize our findings. The post Ransomware Retrospective 2024: Unit 42 Leak Site Analysis appeared first on Unit…

Read more →

Evaluation of a new variant of Mispadu, a banking Trojan, highlights how infostealers evolve over time and can be hard to pin to past campaigns. The post Exploring the Latest Mispadu Stealer Variant appeared first on Unit 42. This article…

Read more →

A network of over 130k domains was part of a campaign to deliver shareware, PUPs and other scams. We unravel the threads of this campaign from entry point to payload. The post ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery…

Read more →

We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption. The post Threat Assessment: BianLian appeared first on Unit 42. This article has been indexed from Unit 42 Read the…

Read more →

Traffic detection system Parrot has infected tens of thousands of websites worldwide. We outline the scripting evolution of this injection campaign and its scope. The post Parrot TDS: A Persistent and Evolving Malware Campaign appeared first on Unit 42. This…

Read more →

Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. The post Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 (Updated) appeared first on Unit 42. This article has been indexed…

Read more →

Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. The post Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 appeared first on Unit 42. This article has been indexed from…

Read more →

Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users. The post Financial Fraud APK Campaign appeared first on Unit 42. This article has been indexed…

Read more →

Medusa ransomware gang has not only escalated activities but launched a leak site. We also analyze new TTPS encountered in an incident response case. The post Medusa Ransomware Turning Your Files into Stone appeared first on Unit 42. This article…

Read more →

Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples. The post Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer appeared first on Unit 42. This…

Read more →

From October-December, the activities of DarkGate, Pikabot, IcedID and more were seen and shared with the broader community via social media The post From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence appeared first on…

Read more →