Executive Summary The Hide ‘N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots. Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).

Our researchers have discovered a new Mirai variant that uses 8 new vulnerabilities and targets new IoT devices.

The blog highlights the results from Unit 42’s research into misconfigured containers, methods for identifying services exposed to the public, and mitigation steps to secure container services. In this blog, we identify common misconfigurations in container services. This allows our readers to deploy their container platform structures in a more secure and private fashion, avoiding the methods of data gathering that we outline in this blog.

Currently available container-based infrastructure has limitations because containers are not truly sandboxed and share the host OS kernel. The root of the problem is the weak separation between containers when the host OS creates a virtualized userland for each container. This blog covers four unique projects from IBM, Google, Amazon, and OpenStack, respectively, that use different techniques to achieve the same goal, creating stronger isolation for containers. The overview in this blog of state of the art research should help readers prepare for the upcoming transformation.

As part of ongoing threat research, Palo Alto Networks Unit 42 threat researchers have discovered 28 new vulnerabilities addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their May Adobe Security Bulletin APSB19-18 and five Foxit Reader vulnerabilities addressed by Foxit Software as part of their recent security update releases. The Adobe vulnerabilities discovered included 19 Critical and 9 Important rated vulnerabilities.

Our latest research evaluates the data from our Email Link Analysis (ELINK) system and shows France rises to number one for malicious URL hosting, the US to number one for phishing for Web-based threats in the last quarter of 2018. Learn more details in the full report.

Our latest research shows attacks against Middle East government Sharepoint servers using a newly patched vulnerability. In our blog, we provide details of the tools and tactics, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research.

Our latest research into Shade ransomware shows attackers recently targeted high-tech firms, wholesalers and educational institutions in U.S., Japan, India, Thailand and Canada in early 2019 with English-language malspam.

Our latest ongoing research into the Silver Terrier Nigerian threat actors shows that attacks increased by 54 percent in 2018 as targeting of high-tech firms and manufacturers surged.
We also show how attackers are using more sophisticated tools like information stealers, remote access tools and obfuscating malware so that it’s only detected 58% of the time. Unit 42 has observed
1.1 million attacks with more than 51,000 malware samples over the four years we have been monitoring this threat actor.

Unit 42 researchers detail how attacks against the newly patched Oracle Weblogic vulnerability may increase based on details of the vulnerability and analysis of activity seen to date. Research also shows how attackers are using the vulnerability to plant XMRig cryptominer on vulnerable systems.

Unit 42 researchers have found in the wild a new variant of the Muhstik Botnet exploiting the latest WebLogic vulnerability for cryptomining and DDoS attacks. Our latest research provides analysis of these new attacks.

Unit 42 digs into the recent OilRig data dump and finds new information on the breadth of attacks and OilRig’s toolset. Our analysis show OilRig attacks are broader than previously thought: 97 organizations in 27 countries, including the Middle East and China and 18 industries – including government, technology, telecommunications and transportation.

In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.

Unit 42 leaders Ryan Olson and Rick Howard present another another episode of their “Don’t Panic” podcast, where they break down the big issues in cyber security and tell you why you don’t need to panic. This week’s episode is about Watering Hole attacks. This technique involves compromising specific websites to target their readers with malware.

At Palo Alto Networks, Unit 42 analyzes threats across the spectrum – from nation state all the way down to Florida state. In this blog, I’ll be covering two aspects of multi-year affiliate marketing spam campaigns designed to deceive individuals, scam, and profit off of people’s desire to change their lives.First, I’ll provide an overview of a spam campaign sent to some customers that led me down this more than two year rabbit hole, and then dig into the inner workings. This blog covers a number of topics: data collection, analysis, and enumeration of infrastructure. These efforts allowed us to map out thousands of compromised servers and abused domains and hundreds of compromised accounts, resulting in a collaborative effort with GoDaddy to take down over 15,000 subdomains being used across these campaigns.