Our latest research into Shade ransomware shows attackers recently targeted high-tech firms, wholesalers and educational institutions in U.S., Japan, India, Thailand and Canada in early 2019 with English-language malspam.

Our latest ongoing research into the Silver Terrier Nigerian threat actors shows that attacks increased by 54 percent in 2018 as targeting of high-tech firms and manufacturers surged.
We also show how attackers are using more sophisticated tools like information stealers, remote access tools and obfuscating malware so that it’s only detected 58% of the time. Unit 42 has observed
1.1 million attacks with more than 51,000 malware samples over the four years we have been monitoring this threat actor.

Unit 42 researchers detail how attacks against the newly patched Oracle Weblogic vulnerability may increase based on details of the vulnerability and analysis of activity seen to date. Research also shows how attackers are using the vulnerability to plant XMRig cryptominer on vulnerable systems.

Unit 42 researchers have found in the wild a new variant of the Muhstik Botnet exploiting the latest WebLogic vulnerability for cryptomining and DDoS attacks. Our latest research provides analysis of these new attacks.

Unit 42 digs into the recent OilRig data dump and finds new information on the breadth of attacks and OilRig’s toolset. Our analysis show OilRig attacks are broader than previously thought: 97 organizations in 27 countries, including the Middle East and China and 18 industries – including government, technology, telecommunications and transportation.

In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.

Unit 42 leaders Ryan Olson and Rick Howard present another another episode of their “Don’t Panic” podcast, where they break down the big issues in cyber security and tell you why you don’t need to panic. This week’s episode is about Watering Hole attacks. This technique involves compromising specific websites to target their readers with malware.

At Palo Alto Networks, Unit 42 analyzes threats across the spectrum – from nation state all the way down to Florida state. In this blog, I’ll be covering two aspects of multi-year affiliate marketing spam campaigns designed to deceive individuals, scam, and profit off of people’s desire to change their lives.First, I’ll provide an overview of a spam campaign sent to some customers that led me down this more than two year rabbit hole, and then dig into the inner workings. This blog covers a number of topics: data collection, analysis, and enumeration of infrastructure. These efforts allowed us to map out thousands of compromised servers and abused domains and hundreds of compromised accounts, resulting in a collaborative effort with GoDaddy to take down over 15,000 subdomains being used across these campaigns.

Unit 42 releases new details on two vulnerabilities in Social Warfare (CVE-2019-9978). Both vulnerabilities are present in all versions of Social Warfare prior to 3.5.3: an estimated 42,000 websites are potentially vulnerable. Unit 42 researchers found five compromised sites actively used for hosting malicious exploit code, which allows the attackers to control more websites. In this blog post we provide new details on the root cause of the vulnerabilities, proof of concept code (PoC) to demonstrate the vulnerability, and information on attacks we observed in the wild as well as the scope of vulnerable sites.

In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country. Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia. In this blog, we outline our findings around a new campaign we’ve named the Aggah Campaign based on the actor’s alias “hagga”.

On March 15, Unit 42 published a blog providing an overview of DNS tunneling and how malware can use DNS queries and answers to act as a command and control channel. To supplement this blog, we have decided to describe a collection of tools that rely on DNS tunneling used by an adversary known as OilRig.

Unit 42 discovers new samples of Mirai compiled for additional processors, Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze, potentially increasing the DDoS firepower of Mirai.

When a host is infected or otherwise compromised, security professionals need to quickly review packet captures of suspicious network traffic to identify affected hosts and users. This tutorial offers tips on how to gather pcap data using Wireshark, the widely used network protocol analysis tool.

A Unit 42 analysis of LockerGoga ransomware samples reveals that its developers have added new features to the malware, which was used in a string of attacks on industrial firms.

Unit 42 has discovered a new version of CardinalRat which we first discovered in 2016. This new version targets financial technology companies, primarily in Israel. It includes new anti-analysis capabilities, including the use of steganography. In addition to our research, we include a new Python script to decrypt the steganographic payload.