In this post, we share information about how security professionals can take analysis shortcuts to quickly triage and analyze multiple malware samples. Within minutes, we can determine the malware families from a group of samples, parse the embedded configuration and extract the associated network indicators of compromise (IoCs).…
This post is also available in: 日本語 (Japanese)
Executive SummaryResearchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open source generative AI framework with over 81,000 stars on GitHub:
LangChain’s website states that more than one million builders use LangChain frameworks for LLM app development.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThe ransomware group RA Group, now known as RA World, showed a noticeable uptick in their activity since March 2024. About 37% of all posts on their dark web leak site have appeared since March, suggesting this is an emerging group to watch.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThis article reviews container escape techniques, assesses their possible impact and reveals how to detect these escapes from the perspective of endpoint detection and response (EDR).
As cloud services rise in popularity, so does the use of containers, which have become an integrated part of cloud infrastructure.…
This article discusses recent samples of BadPack Android malware and examines how this threat’s tampered headers can obstruct malware analysis. We also review the effectiveness of various freely available tools for analyzing BadPack Android Package Kit (APK) files.
The cybersecurity landscape has seen a dramatic increase in malicious Android applications in recent years.…
This article reviews a DarkGate malware campaign from March-April 2024 that uses Microsoft Excel files to download a malicious software package from public-facing SMB file shares. This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware.…
This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. This evasion technique used by GootLoader JavaScript files can present a formidable challenge for sandboxes attempting to analyze the malware.
Sandboxes with limited computing resources can struggle to analyze a large volume of binaries.…
On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers (sshd) on glibc-based Linux systems. This vulnerability, called RegreSSHion and tracked as CVE-2024-6387, can result in unauthenticated remote code execution (RCE) with root privileges. This vulnerability has been rated High severity (CVSS 8.1).…
In this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike infrastructure. We also share examples of malicious Cobalt Strike samples that use Malleable C2 configuration profiles derived from the same profile hosted on a public code repository.
Cobalt Strike is a commercial software framework that enables security professionals like red team members to simulate attackers embedding themselves in a network environment.…
This post reviews strategies for identifying and mitigating potential attack vectors against virtual machine (VM) services in the cloud. Organizations can use this information to understand the potential risks associated with their VM services and strengthen their defense mechanisms. This research focuses on VM services offered by three major cloud service providers (CSPs): Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP).…
This post is also available in: 日本語 (Japanese)
Executive SummaryA Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call Operation Diplomatic Specter. This campaign has been targeting political entities in the Middle East, Africa and Asia since at least late 2022.…
This post is also available in: 日本語 (Japanese)
Executive SummaryIn this post, we look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files. Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files.…
This article presents a case study on new applications of domain name system (DNS) tunneling we have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.
Malicious actors occasionally employ DNS tunneling as a covert communications channel, because it can bypass conventional network firewalls.…
This post is also available in: 日本語 (Japanese)
Executive SummaryIn this post, we examine lateral movement techniques, showcasing some that we have observed in the wild within cloud environments. Lateral movement can be achieved by leveraging both cloud APIs and access to compute instances, with access at the cloud level potentially extending to the latter.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. Organizations often store a variety of data in SaaS applications and use services from CSPs.…
Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly.
A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.…
This post is also available in: 日本語 (Japanese)
Executive SummaryOur telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans.…
____________________ Summary: The XZ Utils Data Compression Library has a vulnerability that impacts multiple Linux distributions. It is recommended to downgrade to an uncompromised version or migrate to updated releases.
Key Points: * The vulnerability, CVE-2024-3094, has a critical severity level. * The vulnerability is a result of a supply chain compromise in versions 5.6.0 and 5.6.1 of XZ Utils.…
This post is also available in:日本語 (Japanese)
Executive SummaryOver the past 90 days, Unit 42 researchers have identified two Chinese advanced persistent threat (APT) groups conducting cyberespionage activities against entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN):
The first APT group, Stately Taurus, created two malware packages we believe targeted entities in Myanmar, the Philippines, Japan and Singapore.…StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. Upon a successful attack, the threat actor would gain access to the victim’s email login information, which they can then use to perform further attacks.…