Author: Unit42

Threat Brief: CVE-2025-0282 and CVE-2025-0283
Ivanti has issued a security advisory regarding two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) affecting its Connect Secure, Policy Secure, and ZTA gateway products. CVE-2025-0282 allows remote code execution by unauthenticated attackers, while CVE-2025-0283 enables local privilege escalation for authenticated users. The article discusses observed attacks exploiting CVE-2025-0282, detailing attack phases and tools used.…
Read More
One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks
This article discusses the proactive detection of cyber threats through automated pivoting on known indicators, showcasing three case studies involving phishing campaigns. It highlights the use of a graph neural network (GNN) to uncover new malicious domains and emphasizes the importance of continuous monitoring of threat actors’ evolving indicators.…
Read More

Summary :

Unit 42 researchers uncovered a phishing campaign targeting European companies, particularly in the automotive and chemical sectors, aiming to harvest Microsoft Azure credentials. The campaign peaked in June 2024, impacting around 20,000 users through malicious links and documents. #Phishing #CyberSecurity #CredentialHarvesting

Keypoints :

The phishing campaign targeted European companies, primarily in the automotive and chemical industries.…
Read More

Summary :

This article offers a comprehensive guide to detecting LDAP-based attacks, highlighting the challenges of distinguishing between benign and malicious activities. It discusses real-world examples of threat actors exploiting LDAP for lateral movement and critical asset enumeration, as well as effective detection strategies. #LDAPAttacks #CyberSecurity #ThreatDetection

Keypoints :

LDAP is commonly abused by threat actors for lateral movement and enumeration of critical assets in cyberattacks.…
Read More

Summary :

HeartCrypt is a new packer-as-a-service (PaaS) that has been used to protect malware since its launch in February 2024. It allows malware operators to pack their malicious payloads into legitimate binaries, facilitating the spread of various malware families. #HeartCrypt #MalwarePacker #CyberThreats

Keypoints :

HeartCrypt has been in development since July 2023 and began sales in February 2024.…
Read More
Summary: Threat actors exploit high-profile events, such as the 2024 Summer Olympics, to launch cyberattacks, including phishing and scams. Proactive monitoring of event-related domain abuse is essential for cybersecurity teams to mitigate risks. Key metrics to watch include domain registrations, DNS traffic, and URL patterns. #CyberThreats #EventExploitation #DomainAbuse Keypoints: Threat actors frequently exploit trending events for cyberattacks.…
Read More
Summary: The Howling Scorpius ransomware group, known for its Akira ransomware-as-a-service, has emerged as a significant threat since early 2023. Utilizing a double extortion strategy, they target small to medium-sized businesses across various sectors globally, particularly in North America, Europe, and Australia. Their ongoing enhancements to ransomware tools and techniques pose increasing risks to organizations.…
Read More

Summary:

In July 2024, the FrostyGoop/BUSTLEBERM malware was publicly identified after causing significant disruptions to critical infrastructure in Ukraine. This OT-centric malware utilizes Modbus TCP communications to manipulate industrial control systems, affecting heating services for over 600 apartment buildings. The report highlights the malware’s capabilities, its operational methods, and the increasing threat posed by OT malware globally.…
Read More

Summary:

Palo Alto Networks and Unit 42 are monitoring exploitation activities related to CVE-2024-0012, an authentication bypass vulnerability in PAN-OS. The vulnerability allows unauthenticated attackers to gain administrative access to affected systems. Recommendations include restricting access to management interfaces and applying available patches.

Keypoints:

Palo Alto Networks is tracking exploitation activities related to CVE-2024-0012.…
Read More

Summary:

Unit 42 researchers have identified a North Korean IT worker activity cluster, CL-STA-0237, involved in phishing attacks through malware-infected video conferencing applications. Operating from Laos, this cluster has exploited a U.S.-based IT services company to apply for jobs, indicating a shift towards more aggressive malware campaigns linked to North Korea’s illicit activities, including WMD programs.…
Read More

Summary:

Organizations are increasingly training AI models on sensitive data, raising concerns about the potential for malicious actors to exploit vulnerabilities in AI platforms. Recent findings from Palo Alto Networks revealed two significant vulnerabilities in Google’s Vertex AI platform that could allow attackers to escalate privileges and exfiltrate sensitive machine learning models.…
Read More

Summary:

This article discusses an incident involving a threat actor’s unsuccessful attempt to bypass Cortex XDR, which inadvertently provided valuable insights into their operations. Through the investigation, Unit 42 uncovered the use of an AV/EDR bypass tool and identified the threat actor’s identity, revealing their tactics and tools utilized in the attack.…
Read More
Short Summary

Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group, as a key player in a recent ransomware incident involving collaboration with the Play ransomware group. This marks a significant shift in Jumpy Pisces’ tactics, indicating their deeper involvement in the ransomware landscape, moving from cyberespionage to potential ransomware attacks targeting a wide range of victims globally.…

Read More

Short Summary:

In July 2024, Palo Alto Networks identified Lynx ransomware, a successor to INC ransomware, which has targeted various sectors in the U.S. and UK. Lynx operates under a ransomware-as-a-service model and employs double-extortion tactics, exfiltrating data before encryption. The article outlines the delivery mechanisms, technical analysis, and comparisons with INC ransomware, emphasizing the need for robust cybersecurity measures.…

Read More
Short Summary

Unit 42 has identified ongoing malicious activities by North Korean threat actors, known as the CL-STA-240 Contagious Interview campaign. These actors pose as recruiters to lure job seekers into downloading malware, specifically the BeaverTail downloader and the InvisibleFerret backdoor. The campaign has evolved with updates to the malware, which now targets both macOS and Windows platforms, and includes features for stealing sensitive data, particularly cryptocurrency wallets.…

Read More
Short Summary

This article discusses four recently identified DNS tunneling campaigns, highlighting the techniques used by threat actors to bypass network security and establish covert communication channels. The campaigns were detected using a new monitoring system that analyzes domain attributes to uncover emerging threats. The findings emphasize the importance of monitoring DNS traffic to prevent data exfiltration and infiltration.…

Read More