Tracking Elirks Variants in Japan: Similarities to Previous Attacks

A recent, well-publicized attack on a Japanese business involved two malware families, PlugX and Elirks, that were found during the investigation. PlugX has been used in a number of attacks since first being discovered in 2012, and we have published several articles related to its use, including an analysis of an attack campaign targeting Japanese

Adversaries and Their Motivations (Part 3)

In part three of the Adversaries and Their Motivations blog series, we’ll explore the following top-level actor motivations: Cyber Warfare, Cyber Terrorism, and Cyber Mischief. Even Fuzzier Boundaries The high-level actor motivations covered earlier in this blog series introduced challenges in identifying and attributing activity between Cyber Espionage, Cyber Crime, and Cyber Hacktivism. Analysis of

Inside TDrop2: Technical Analysis of new Dark Seoul Malware

Palo Alto Networks recently identified a new campaign targeting the transportation sector in Europe with ties to the Dark Seoul and Operation Troy campaigns that took place in 2013. This new campaign used updated instances of the Tdrop malware family discovered in the Operation Troy campaign. For more information on the new campaign discovered by

Our Commitment to Sharing Threat Intelligence

Part of my role as the Director of Threat Intelligence for Palo Alto Networks is to share the intelligence we produce with others who can put it to use in defending their networks. We believe wholeheartedly that having better information about the threats you face will help you defend yourself from harm. Knowing what kinds

Adversaries and Their Motivations (Part 2)

This post is the second in a blog series describing adversaries and their motivations. In part two of the series, we’ll explore the following top-level actor motivations: Cyber Espionage, Cyber Crime, and Cyber Hacktivism. Adversary Operational Maturity, Targeting, and Key Roles Before we start, there are some additional concepts that add context to exploring malicious

CryptoWall 3, the Cyber Threat Alliance and the Future of Information Sharing

Executive Summary The Palo Alto Networks vision for threat information sharing is that cybersecurity vendors should share the intelligence that they all individually collect with each other and with whomever else has the capacity to consume it. In that way, each vendor can build more innovative products with that superset of intelligence and better protect their

Understanding Global Application Usage and Threats to Enterprises

“A single arrow is easily broken, but not ten in a bundle.” – Japanese proverb Is prevention of cyber attacks impossible? Is trying to prevent attacks a waste of time? Should we spend all our time focused on incident response? These are constant questions in cybersecurity, and while the truth is that we can’t prevent

KeyRaider iOS Malware: How to Keep Yourself Safe

Earlier this week we published an analysis of KeyRaider, which is an iOS malware family and a reminder of the risks users take when they choose to jailbreak their mobile devices. Attackers used KeyRaider malware to steal more than 225,000 Apple accounts. KeyRaider targeted only jailbroken Apple devices, primarily through Chinese websites and apps that

KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia

Executive Summary Recently, WeipTech was analyzing suspicious Apple iOS tweaks reported by users and found over 225,000 valid Apple accounts with passwords stored on a server. In cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild. We have analyzed the samples to determine the author’s ultimate goal

RTF Exploit Installs Italian RAT: uWarrior

Unit 42 researchers have observed a new Remote Access Tool (RAT) constructed by an unknown actor of Italian origin. This RAT, referred to as uWarrior because of embedded PDB strings, has been previously described by an independent researcher who noted a potentially unknown exploit being used against Microsoft Office.

Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor

On July 16, 2015, the Palo Alto Networks Unit 42 threat intelligence team discovered a watering hole attack on the website of a well-known aerospace firm. The website was compromised to launch an apparent watering-hole attack against the company’s customers. It was hosting an Adobe Flash exploit targeting one of the newly disclosed vulnerabilities from

2015 Verizon Data Breach Investigations Report (DBIR): Insights from Unit 42

The 2015 Verizon Data Breach Investigations Report (DBIR) represents the first time Palo Alto Networks has contributed data to this important publication, and we are proud to be part of an intelligence-sharing ecosystem that, in the end, raises the collective bar for everyone in the industry. While reviewing the findings, a few key points stood

Watch Our Researchers Cover Predicting Malicious Domains at VB2014

Malicious domains are commonly used by cyberattackers for command and control communication, hosting malware and phishing attacks. Palo Alto Networks researchers Wei Xu, Kyle Sanders and Yanxin Zhang recently explored ways to predict malicious domains so they can be added to blacklists before they go live. To hear how they went about this, and to

Analysis: CryptoWall 3.0, Dyre and I2P

For a moment, put yourself in the shoes of a cyber criminal. You’ve collected an array of tools (malware), built up your infrastructure (command and control (C2) servers) and you have a process to make money off your hard work. You wake up on Monday morning and the domains your carefully built malware uses for